Apply by doing:
cd /usr/src
patch -p0 < 023_lprm.patch
And then rebuild and install lprm:
cd usr.sbin/lpr
make obj
make depend && make && make install
Index: usr.sbin/lpr/common_source/rmjob.c
===================================================================
RCS file: /cvs/src/usr.sbin/lpr/common_source/rmjob.c,v
retrieving revision 1.12
diff -u -r1.12 rmjob.c
--- usr.sbin/lpr/common_source/rmjob.c 16 Feb 2002 21:28:03 -0000 1.12
+++ usr.sbin/lpr/common_source/rmjob.c 5 Mar 2003 00:54:55 -0000
@@ -322,6 +322,7 @@
{
char *cp;
int i, rem;
+ size_t n;
char buf[BUFSIZ];
if (!remote)
@@ -333,18 +334,26 @@
*/
fflush(stdout);
- (void)snprintf(buf, sizeof(buf)-2, "\5%s %s", RP, all ? "-all" : person);
- cp = buf + strlen(buf);
- for (i = 0; i < users && cp-buf+1+strlen(user[i]) < sizeof buf - 2; i++) {
- cp += strlen(cp);
+ /* the trailing space will be replaced with a newline later */
+ n = snprintf(buf, sizeof(buf), "\5%s %s ", RP, all ? "-all" : person);
+ if (n == -1 || n >= sizeof(buf))
+ goto bad;
+ cp = buf + n;
+ for (i = 0; i < users; i++) {
+ n = strlcpy(cp, user[i], sizeof(buf) - (cp - buf + 1));
+ if (n >= sizeof(buf) - (cp - buf + 1))
+ goto bad;
+ cp += n;
*cp++ = ' ';
- strcpy(cp, user[i]);
}
- for (i = 0; i < requests && cp-buf+10 < sizeof(buf) - 2; i++) {
- cp += strlen(cp);
- (void) sprintf(cp, " %d", requ[i]);
+ *cp = '\0';
+ for (i = 0; i < requests; i++) {
+ n = snprintf(cp, sizeof(buf) - (cp - buf), "%d ", requ[i]);
+ if (n == -1 || n >= sizeof(buf) - (cp - buf))
+ goto bad;
+ cp += n;
}
- strcat(cp, "\n");
+ cp[-1] = '\n'; /* replace space with newline, leave the NUL */
rem = getport(RM, 0);
if (rem < 0) {
if (from != host)
@@ -358,6 +367,10 @@
(void) fwrite(buf, 1, i, stdout);
(void) close(rem);
}
+ return;
+bad:
+ printf("remote buffer too large\n");
+ return;
}
/*
