From tetsuya@secom-sis.co.jp  Tue Dec 21 03:31:23 1999
Return-Path: <tetsuya@secom-sis.co.jp>
Received: from secom-sis.co.jp (spiral.secom-sis.co.jp [202.218.246.72])
	by hub.freebsd.org (Postfix) with ESMTP id 1A5F3152B0
	for <FreeBSD-gnats-submit@FreeBSD.ORG>; Tue, 21 Dec 1999 03:31:22 -0800 (PST)
	(envelope-from tetsuya@secom-sis.co.jp)
Received: by spiral.secom-sis.co.jp id <27780>; Tue, 21 Dec 1999 20:24:07 +0900
Message-Id: <99Dec21.202407jst.27780@spiral.secom-sis.co.jp>
Date: Tue, 21 Dec 1999 20:31:15 +0900
From: tetsuya@secom-sis.co.jp
Reply-To: tetsuya@secom-sis.co.jp
To: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Typo in lpd.c
X-Send-Pr-Version: 3.2

>Number:         15604
>Category:       bin
>Synopsis:       Typo in lpd.c
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Dec 21 03:40:00 PST 1999
>Closed-Date:    Mon Jan 24 17:43:20 PST 2000
>Last-Modified:  Mon Jan 24 17:53:01 PST 2000
>Originator:     Tetsuya Furukawa
>Release:        FreeBSD 3.4-RELEASE i386
>Organization:
None
>Environment:

None.

>Description:

It's a long-life bug since the initial revision.
It doesn't seem to have any ill effect in the current source code.

>How-To-Repeat:

None.

>Fix:

--- usr.sbin/lpr/lpd/lpd.c.orig	Mon Aug 30 00:43:22 1999
+++ usr.sbin/lpr/lpd/lpd.c	Tue Dec 21 19:58:07 1999
@@ -590,7 +590,7 @@
 			inet_ntoa(f->sin_addr));
 
 	(void) strncpy(fromb, hp->h_name, sizeof(fromb) - 1);
-	from[sizeof(fromb) - 1] = '\0';
+	fromb[sizeof(fromb) - 1] = '\0';
 	from = fromb;
 
 	/* Check for spoof, ala rlogind */


>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: dillon 
State-Changed-When: Mon Jan 24 17:43:20 PST 2000 
State-Changed-Why:  
The change has been committed.  A review of the code indicates that 
the use of the wrong buffer in this case did not introduce any  
security holes because 'from' was previously initialized to point 
to another buffer of the same size as fromb, and due to the strncpy() 
the last element of fromb is already zero anyway.  The whole assignment 
could be removed but I'm not that adventureous so I've only fixed  
the type-o as indicated in the patch. 
>Unformatted:
