Buffer overflow in wall(1).

Revert r286102 and apply a cleaner fix.
Tested for overflows by FORTIFY_SOURCE GSoC (with clang).

Suggested by:	bde
Reviewed by:	Oliver Pinter
Tested by:	Oliver Pinter
MFC after:	3 days

diff --git a/usr.bin/wall/ttymsg.c b/usr.bin/wall/ttymsg.c
index 1317a4b0cb603dd9f0fc96e26d877adc6879be3c..afa3d266ad3a9194f5ae8cdb958768250e1ceda1 100644 (file)
--- a/usr.bin/wall/ttymsg.c
+++ b/usr.bin/wall/ttymsg.c
@@ -62,7 +62,7 @@ ttymsg(struct iovec *iov, int iovcnt, const char *line, int tmout)
        struct iovec localiov[7];
        ssize_t left, wret;
        int cnt, fd;
-       char device[MAXNAMLEN] = _PATH_DEV;
+       char device[MAXNAMLEN];
        static char errbuf[1024];
        char *p;
        int forked;
@@ -71,8 +71,9 @@ ttymsg(struct iovec *iov, int iovcnt, const char *line, int tmout)
        if (iovcnt > (int)(sizeof(localiov) / sizeof(localiov[0])))
                return ("too many iov's (change code in wall/ttymsg.c)");
 
-       strlcat(device, line, sizeof(device));
+       strlcpy(device, _PATH_DEV, sizeof(device));
        p = device + sizeof(_PATH_DEV) - 1;
+       strlcpy(p, line, sizeof(device) - sizeof(_PATH_DEV));
        if (strncmp(p, "pts/", 4) == 0)
                p += 4;
        if (strchr(p, '/') != NULL) {