
		11) expect() references beyond array bounds

From: teklabs!cbosg!harpo!floyd!cmcl2!salkind
Date: Sun Mar 28 17:19:54 1982
Subject: UUCP Bug (brl-bmd.115 followup)
Newsgroups: net.bugs
References: expect.c,expect()

	1) there can be a reference past the end of the statically
		allocated array rdvec (reported by someone else already)
	2) the alarm isn't reset (disabled)

The fix is simple.  In expect(), change the lines

		if ((*rp = nextch & 0177) != '\0')
			rp++;
		*rp = '\0';
		if (rp >= rdvec + MR)
			return(FAIL);

to
		if ((*rp = nextch & 0177) != '\0')
			rp++;
		if (rp >= rdvec + MR) {
			alarm(0);
			return(FAIL);
		}
		*rp = '\0';

_________

						Lou Salkind
						cmcl2!salkind

