From eb717357116944737cfa779dc09332ab7cbb4f43 Mon Sep 17 00:00:00 2001
From: millert <>
Date: Thu, 25 Sep 2003 21:14:46 +0000
Subject: Do check for current pointer vs. buffer end before touching any
 elements in the buffer.  Fixes an out of bounds access. From aaron@; OK
 deraadt@

---
 src/lib/libc/net/ns_ntoa.c |  4 ++--
 src/lib/libc/net/rcmd.c    | 10 +++++-----
 2 files changed, 7 insertions(+), 7 deletions(-)

(limited to 'src/lib/libc')

diff --git a/src/lib/libc/net/ns_ntoa.c b/src/lib/libc/net/ns_ntoa.c
index 019e8b0a59..fd67e459da 100644
--- a/src/lib/libc/net/ns_ntoa.c
+++ b/src/lib/libc/net/ns_ntoa.c
@@ -28,7 +28,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static char rcsid[] = "$OpenBSD: ns_ntoa.c,v 1.12 2003/06/02 20:18:35 millert Exp $";
+static char rcsid[] = "$OpenBSD: ns_ntoa.c,v 1.13 2003/09/25 21:14:46 millert Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <sys/param.h>
@@ -53,7 +53,7 @@ ns_ntoa(struct ns_addr addr)
 	cp = spectHex(obuf);
 	rem = sizeof(obuf) - (cp - obuf);
 	cp2 = cp + 1;
-	while (*up==0 && up < uplim)
+	while (up < uplim && *up==0)
 		up++;
 	if (up == uplim) {
 		if (port) {
diff --git a/src/lib/libc/net/rcmd.c b/src/lib/libc/net/rcmd.c
index f37cb785be..769e85e0a4 100644
--- a/src/lib/libc/net/rcmd.c
+++ b/src/lib/libc/net/rcmd.c
@@ -29,7 +29,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static char *rcsid = "$OpenBSD: rcmd.c,v 1.47 2003/07/11 22:39:21 deraadt Exp $";
+static char *rcsid = "$OpenBSD: rcmd.c,v 1.48 2003/09/25 21:14:46 millert Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <sys/param.h>
@@ -485,7 +485,7 @@ __ivaliduser_sa(hostf, raddr, salen, luser, ruser)
 		p = buf;
 		if (*p == '#')
 			continue;
-		while (*p != '\n' && *p != ' ' && *p != '\t' && p < buf + buflen) {
+		while (p < buf + buflen && *p != '\n' && *p != ' ' && *p != '\t') {
 			if (!isprint(*p))
 				goto bail;
 			*p = isupper(*p) ? tolower(*p) : *p;
@@ -495,13 +495,13 @@ __ivaliduser_sa(hostf, raddr, salen, luser, ruser)
 			continue;
 		if (*p == ' ' || *p == '\t') {
 			*p++ = '\0';
-			while ((*p == ' ' || *p == '\t') && p < buf + buflen)
+			while (p < buf + buflen && (*p == ' ' || *p == '\t'))
 				p++;
 			if (p >= buf + buflen)
 				continue;
 			user = p;
-			while (*p != '\n' && *p != ' ' &&
-			    *p != '\t' && p < buf + buflen) {
+			while (p < buf + buflen && *p != '\n' && *p != ' ' &&
+			    *p != '\t') {
 				if (!isprint(*p))
 					goto bail;
 				p++;
-- 
cgit v1.2.3-55-g6feb