From 0bdec855528fdf5102e0960fc503fe370413b17f Mon Sep 17 00:00:00 2001
From: deraadt <deraadt@openbsd.org>
Date: Sun, 9 Feb 1997 19:24:55 +0000
Subject: [PATCH] buf oflow, eivind@freebsd

---
 usr.bin/oldrdist/defs.h   |  5 +++--
 usr.bin/oldrdist/docmd.c  |  8 ++++----
 usr.bin/oldrdist/expand.c | 15 +++++++++------
 usr.bin/oldrdist/server.c | 10 +++++-----
 4 files changed, 21 insertions(+), 17 deletions(-)

diff --git a/usr.bin/oldrdist/defs.h b/usr.bin/oldrdist/defs.h
index 880c8ee01db..364e4b96b79 100644
--- a/usr.bin/oldrdist/defs.h
+++ b/usr.bin/oldrdist/defs.h
@@ -1,4 +1,4 @@
-/* *	$OpenBSD: defs.h,v 1.5 1996/08/22 20:40:43 millert Exp $*/
+/* *	$OpenBSD: defs.h,v 1.6 1997/02/09 19:24:55 deraadt Exp $*/
 /*
  * Copyright (c) 1983, 1993
  *	The Regents of the University of California.  All rights reserved.
@@ -151,6 +151,7 @@ extern struct passwd *pw;	/* pointer to static area used by getpwent */
 extern struct group *gr;	/* pointer to static area used by getgrent */
 extern char host[];		/* host name of master copy */
 extern char buf[BUFSIZ];	/* general purpose buffer */
+extern char target[BUFSIZ];	/* target/source directory name */
 
 int	 any __P((int, char *));
 char	*colon __P((char *));
@@ -161,7 +162,7 @@ void	 error __P((const char *, ...));
 int	 except __P((char *));
 struct namelist *
 	 expand __P((struct namelist *, int));
-char	*exptilde __P((char [], char *));
+char	*exptilde __P((char [], char *, int));
 void	 fatal __P((const char *, ...));
 int	 inlist __P((struct namelist *, char *));
 void	 insert __P((char *,
diff --git a/usr.bin/oldrdist/docmd.c b/usr.bin/oldrdist/docmd.c
index b6e0f819b98..43eb92f9ca1 100644
--- a/usr.bin/oldrdist/docmd.c
+++ b/usr.bin/oldrdist/docmd.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: docmd.c,v 1.7 1996/08/22 20:33:17 millert Exp $	*/
+/*	$OpenBSD: docmd.c,v 1.8 1997/02/09 19:24:56 deraadt Exp $	*/
 
 /*
  * Copyright (c) 1983, 1993
@@ -35,7 +35,7 @@
 
 #ifndef lint
 /* from: static char sccsid[] = "@(#)docmd.c	8.1 (Berkeley) 6/9/93"; */
-static char *rcsid = "$OpenBSD: docmd.c,v 1.7 1996/08/22 20:33:17 millert Exp $";
+static char *rcsid = "$OpenBSD: docmd.c,v 1.8 1997/02/09 19:24:56 deraadt Exp $";
 #endif /* not lint */
 
 #include "defs.h"
@@ -360,7 +360,7 @@ bad:
 
 time_t	lastmod;
 FILE	*tfp;
-extern	char target[], *tp;
+extern	char *tp;
 
 /*
  * Process commands for comparing files to time stamp files.
@@ -457,7 +457,7 @@ cmptime(name)
 	 * first time cmptime() is called?
 	 */
 	if (tp == NULL) {
-		if (exptilde(target, name) == NULL)
+		if (exptilde(target, name, sizeof (target)) == NULL)
 			return;
 		tp = name = target;
 		while (*tp)
diff --git a/usr.bin/oldrdist/expand.c b/usr.bin/oldrdist/expand.c
index b80a79374ea..8024f1dd16e 100644
--- a/usr.bin/oldrdist/expand.c
+++ b/usr.bin/oldrdist/expand.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: expand.c,v 1.5 1996/08/22 20:33:18 millert Exp $	*/
+/*	$OpenBSD: expand.c,v 1.6 1997/02/09 19:24:57 deraadt Exp $	*/
 
 /*
  * Copyright (c) 1983, 1993
@@ -35,7 +35,7 @@
 
 #ifndef lint
 /* from: static char sccsid[] = "@(#)expand.c	8.1 (Berkeley) 6/9/93"; */
-static char *rcsid = "$OpenBSD: expand.c,v 1.5 1996/08/22 20:33:18 millert Exp $";
+static char *rcsid = "$OpenBSD: expand.c,v 1.6 1997/02/09 19:24:57 deraadt Exp $";
 #endif /* not lint */
 
 #include "defs.h"
@@ -621,9 +621,10 @@ addpath(c)
  * part corresponding to `file'.
  */
 char *
-exptilde(buf, file)
+exptilde(buf, file, maxlen)
 	char buf[];
 	register char *file;
+	int maxlen;
 {
 	register char *s1, *s2, *s3;
 	extern char homedir[];
@@ -658,13 +659,15 @@ exptilde(buf, file)
 			*s3 = '/';
 		s2 = pw->pw_dir;
 	}
-	for (s1 = buf; *s1++ = *s2++; )
+	for (s1 = buf; (*s1++ = *s2++) && s1 < buf+maxlen; )
 		;
 	s2 = --s1;
-	if (s3 != NULL) {
+	if (s3 != NULL && s1 < buf+maxlen) {
 		s2++;
-		while (*s1++ = *s3++)
+		while ((*s1++ = *s3++) && s1 < buf+maxlen)
 			;
 	}
+	if (s1 == buf+maxlen)
+		return (NULL);
 	return(s2);
 }
diff --git a/usr.bin/oldrdist/server.c b/usr.bin/oldrdist/server.c
index b8531eb9924..8de4fc7aee0 100644
--- a/usr.bin/oldrdist/server.c
+++ b/usr.bin/oldrdist/server.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: server.c,v 1.7 1996/12/22 03:26:00 tholo Exp $	*/
+/*	$OpenBSD: server.c,v 1.8 1997/02/09 19:24:59 deraadt Exp $	*/
 
 /*
  * Copyright (c) 1983, 1993
@@ -35,7 +35,7 @@
 
 #ifndef lint
 /* from: static char sccsid[] = "@(#)server.c	8.1 (Berkeley) 6/9/93"; */
-static char *rcsid = "$OpenBSD: server.c,v 1.7 1996/12/22 03:26:00 tholo Exp $";
+static char *rcsid = "$OpenBSD: server.c,v 1.8 1997/02/09 19:24:59 deraadt Exp $";
 #endif /* not lint */
 
 #include <sys/wait.h>
@@ -125,7 +125,7 @@ server()
 		case 't':  /* init target file/directory name */
 			catname = 0;
 		dotarget:
-			if (exptilde(target, cp) == NULL)
+			if (exptilde(target, cp, sizeof (target)) == NULL)
 				continue;
 			tp = target;
 			while (*tp)
@@ -186,7 +186,7 @@ server()
 				continue;
 			}
 			if (*cp == '~') {
-				if (exptilde(buf, cp) == NULL)
+				if (exptilde(buf, cp, sizeof (buf)) == NULL)
 					continue;
 				cp = buf;
 			}
@@ -258,7 +258,7 @@ install(src, dest, destdir, opts)
 			return;
 	}
 
-	rname = exptilde(target, src);
+	rname = exptilde(target, src, sizeof(target));
 	if (rname == NULL)
 		return;
 	tp = target;
-- 
2.20.1