From 00b5450230ae9da4eb7efa326b0ff6ea7af92b0c Mon Sep 17 00:00:00 2001 From: jsg Date: Sun, 9 Apr 2017 02:40:24 +0000 Subject: [PATCH] Fix multiple cases of reading past the end of a buffer in the sasyncd(8) config parser found with afl. feedback and ok millert@ ok deraadt@ --- usr.sbin/sasyncd/conf.y | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/usr.sbin/sasyncd/conf.y b/usr.sbin/sasyncd/conf.y index 5be15a4e5e7..868063c1f5b 100644 --- a/usr.sbin/sasyncd/conf.y +++ b/usr.sbin/sasyncd/conf.y @@ -1,4 +1,4 @@ -/* $OpenBSD: conf.y,v 1.18 2015/08/20 22:39:29 deraadt Exp $ */ +/* $OpenBSD: conf.y,v 1.19 2017/04/09 02:40:24 jsg Exp $ */ /* * Copyright (c) 2005 HÃ¥kan Olsson. All rights reserved. @@ -293,8 +293,10 @@ yylex(void) if (!confptr) confptr = confbuf; else { - for (p = confptr; *p && p < confbuf + conflen; p++) + for (p = confptr; p < confbuf + conflen && *p; p++) ; + if (p == confbuf + conflen) + return 0; p++; if (!*p) return 0; @@ -389,7 +391,7 @@ conf_parse_file(char *cfgfile) /* Prepare the buffer somewhat in the way of strsep() */ buf[conflen] = (char)0; - for (s = buf, d = s; *s && s < buf + conflen; s++) { + for (s = buf, d = s; s < buf + conflen && *s; s++) { if (isspace(*s) && isspace(*(s+1))) continue; if (*s == '#') { -- 2.20.1