From 14a218fd20a5e1a449d6305836d147a5e3e40eea Mon Sep 17 00:00:00 2001
From: Joel Sherrill <joel@rtems.org>
Date: Tue, 21 Aug 2018 10:32:48 -0500
Subject: cpukit/telnetd/pty.c: Fix format overflow warning on sprintf()

cpukit/telnetd/pty.c:436:47: warning: '%X' directive writing between
   1 and 8 bytes into a region of size 3 [-Wformat-overflow=]

The devname area was malloc'ed. Now it is statically allocated and
sufficiently large to account for the potential buffer overflow.
---
 cpukit/telnetd/pty.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

(limited to 'cpukit/telnetd/pty.c')

diff --git a/cpukit/telnetd/pty.c b/cpukit/telnetd/pty.c
index 14d688018f..3c511f9e98 100644
--- a/cpukit/telnetd/pty.c
+++ b/cpukit/telnetd/pty.c
@@ -71,7 +71,7 @@ struct pty_tt;
 typedef struct pty_tt pty_t;
 
 struct pty_tt {
- char                     *devname;
+ char                      devname[17];
  struct rtems_termios_tty *ttyp;
  tcflag_t                  c_cflag;
  int                       opened;
@@ -432,8 +432,8 @@ rtems_device_driver my_pty_initialize(
    */
 
   for (ndx=0;ndx<rtems_telnetd_maximum_ptys;ndx++) {
-    telnet_ptys[ndx].devname = (char*)malloc(strlen("/dev/ptyXX")+1);
-    sprintf(telnet_ptys[ndx].devname,"/dev/pty%X",ndx);
+    /* devname is included in the structure */
+    sprintf(telnet_ptys[ndx].devname,"/dev/pty%02X",ndx);
     telnet_ptys[ndx].ttyp    =  NULL;
     telnet_ptys[ndx].c_cflag = CS8|B9600;
     telnet_ptys[ndx].socket  = -1;
@@ -491,8 +491,9 @@ static int pty_do_finalize(void)
         status = (rtems_status_code)unlink(telnet_ptys[ndx].devname);
         if (status != RTEMS_SUCCESSFUL)
           perror("removing pty device node from file system");
-        else
-          free(telnet_ptys[ndx].devname);
+        else {
+          telnet_ptys[ndx].devname[0] = '\0';
+        }
     };
 
     free ( telnet_ptys );
-- 
cgit v1.2.3