Fix potential fault where -L/-R/-D could accept a string too long for…

… our portfwd[] array. (Not sure what would happen in this case, mind.) Also modify -L/-R/-D code to cope with IPv4/IPv6 tunnels in saved settings. [originally from svn r5440]
FauxFaux · Mar 4, 2005 · c151955 · c151955
1 parent 8316deb
commit c151955
Showing 1 changed file with 10 additions and 9 deletions.
diff --git a/cmdline.c b/cmdline.c
@@ -190,19 +190,20 @@ int cmdline_process_param(char *p, char *value, int need_save, Config *cfg)
 	dynamic = !strcmp(p, "-D");
 	fwd = value;
 	ptr = cfg->portfwd;
-	/* if multiple forwards, find end of list */
-	if (ptr[0]=='R' || ptr[0]=='L' || ptr[0] == 'D') {
-	    for (i = 0; i < sizeof(cfg->portfwd) - 2; i++)
-		if (ptr[i]=='\000' && ptr[i+1]=='\000')
-		    break;
-	    ptr = ptr + i + 1;  /* point to next forward slot */
+	/* if existing forwards, find end of list */
+	while (*ptr) {
+	    while (*ptr)
+		ptr++;
+	    ptr++;
 	}
+	i = ptr - cfg->portfwd;
 	ptr[0] = p[1];  /* insert a 'L', 'R' or 'D' at the start */
-	if (strlen(fwd) > sizeof(cfg->portfwd) - i - 2) {
+	ptr++;
+	if (1 + strlen(fwd) + 2 > sizeof(cfg->portfwd) - i) {
 	    cmdline_error("out of space for port forwardings");
 	    return ret;
 	}
-	strncpy(ptr+1, fwd, sizeof(cfg->portfwd) - i);
+	strncpy(ptr, fwd, sizeof(cfg->portfwd) - i - 2);
 	if (!dynamic) {
 	    /*
 	     * We expect _at least_ two colons in this string. The
@@ -224,7 +225,7 @@ int cmdline_process_param(char *p, char *value, int need_save, Config *cfg)
 	}
 	cfg->portfwd[sizeof(cfg->portfwd) - 1] = '\0';
 	cfg->portfwd[sizeof(cfg->portfwd) - 2] = '\0';
-	ptr[strlen(ptr)+1] = '\000';    /* append two '\000' */
+	ptr[strlen(ptr)+1] = '\000';    /* append 2nd '\000' */
     }
     if (!strcmp(p, "-m")) {
 	char *filename, *command;