From f7e4a620aaa061bca62c2cef7dd508157e482c68 Mon Sep 17 00:00:00 2001
From: Thomas Osterried <ax25@x-berg.in-berlin.de>
Date: Wed, 3 Feb 2021 15:27:28 +0100
Subject: This fixes a bug in ttyutils.c for tty_is_locked, tty_lock() and
 tty_unlock() for very long path names, i.e.    kissattach
 /dev/serial/by-id/usb-FTDI_usb_serial_converter_FTCAWZIA-if00-port 0 tnc   
 -> Segmentation fault because buffer[50] was not only too short; the length
 was also not checked.

Thanks to David KI6ZHD for reporting this bug.

Signed-off-by: Thomas Osterried <ax25@x-berg.in-berlin.de>
---
 ttyutils.c | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/ttyutils.c b/ttyutils.c
index 580e9a6..a374103 100644
--- a/ttyutils.c
+++ b/ttyutils.c
@@ -4,6 +4,7 @@
 #include <unistd.h>
 #include <fcntl.h>
 #include <signal.h>
+#include <limits.h>
 
 #include <netax25/ttyutils.h>
 #include "pathnames.h"
@@ -100,7 +101,7 @@ int tty_speed(int fd, int speed)
 
 int tty_is_locked(char *tty)
 {
-	char buffer[50], *s;
+	char buffer[PATH_MAX], *s;
 	FILE *fp;
 	int pid = 0;
 
@@ -109,7 +110,9 @@ int tty_is_locked(char *tty)
 	else
 		s = tty;
 
-	sprintf(buffer, "%s/LCK..%s", LOCK_SERIAL_DIR, s);
+	memset(buffer, 0, sizeof(buffer));
+	sprintf(buffer, "%s/LCK..", LOCK_SERIAL_DIR);
+	strncat(buffer+strlen(buffer), s, sizeof(buffer)-strlen(buffer)-1);
 
 	if ((fp = fopen(buffer, "r")) == NULL)
 		return FALSE;
@@ -129,7 +132,7 @@ int tty_is_locked(char *tty)
 
 int tty_lock(char *tty)
 {
-	char buffer[50], *s;
+	char buffer[PATH_MAX], *s;
 	FILE *fp;
 
 	if ((s = strrchr(tty, '/')) != NULL)
@@ -137,7 +140,9 @@ int tty_lock(char *tty)
 	else
 		s = tty;
 
-	sprintf(buffer, "%s/LCK..%s", LOCK_SERIAL_DIR, s);
+	memset(buffer, 0, sizeof(buffer));
+	sprintf(buffer, "%s/LCK..", LOCK_SERIAL_DIR);
+	strncat(buffer+strlen(buffer), s, sizeof(buffer)-strlen(buffer)-1);
 
 	if ((fp = fopen(buffer, "w")) == NULL)
 		return FALSE;
@@ -151,14 +156,16 @@ int tty_lock(char *tty)
 
 int tty_unlock(char *tty)
 {
-	char buffer[50], *s;
+	char buffer[PATH_MAX], *s;
 
 	if ((s = strrchr(tty, '/')) != NULL)
 		s++;
 	else
 		s = tty;
 
-	sprintf(buffer, "%s/LCK..%s", LOCK_SERIAL_DIR, s);
+	memset(buffer, 0, sizeof(buffer));
+	sprintf(buffer, "%s/LCK..", LOCK_SERIAL_DIR);
+	strncat(buffer+strlen(buffer), s, sizeof(buffer)-strlen(buffer)-1);
 
 	return unlink(buffer) == 0;
 }
-- 
cgit v1.2.3