Fix potential fault where -L/-R/-D could accept a string too long for our

portfwd[] array. (Not sure what would happen in this case, mind.)
Also modify -L/-R/-D code to cope with IPv4/IPv6 tunnels in saved settings.

git-svn-id: svn://svn.tartarus.org/sgt/putty@5440 cda61777-01e9-0310-a592-d414129be87e

diff --git a/cmdline.c b/cmdline.c
index d306959..fdd9584 100644 (file)
--- a/cmdline.c
+++ b/cmdline.c
@@ -190,19 +190,20 @@ int cmdline_process_param(char *p, char *value, int need_save, Config *cfg)
        dynamic = !strcmp(p, "-D");
        fwd = value;
        ptr = cfg->portfwd;
-       /* if multiple forwards, find end of list */
-       if (ptr[0]=='R' || ptr[0]=='L' || ptr[0] == 'D') {
-           for (i = 0; i < sizeof(cfg->portfwd) - 2; i++)
-               if (ptr[i]=='\000' && ptr[i+1]=='\000')
-                   break;
-           ptr = ptr + i + 1;  /* point to next forward slot */
+       /* if existing forwards, find end of list */
+       while (*ptr) {
+           while (*ptr)
+               ptr++;
+           ptr++;
        }
+       i = ptr - cfg->portfwd;
        ptr[0] = p[1];  /* insert a 'L', 'R' or 'D' at the start */
-       if (strlen(fwd) > sizeof(cfg->portfwd) - i - 2) {
+       ptr++;
+       if (1 + strlen(fwd) + 2 > sizeof(cfg->portfwd) - i) {
            cmdline_error("out of space for port forwardings");
            return ret;
        }
-       strncpy(ptr+1, fwd, sizeof(cfg->portfwd) - i);
+       strncpy(ptr, fwd, sizeof(cfg->portfwd) - i - 2);
        if (!dynamic) {
            /*
             * We expect _at least_ two colons in this string. The
@@ -224,7 +225,7 @@ int cmdline_process_param(char *p, char *value, int need_save, Config *cfg)
        }
        cfg->portfwd[sizeof(cfg->portfwd) - 1] = '\0';
        cfg->portfwd[sizeof(cfg->portfwd) - 2] = '\0';
-       ptr[strlen(ptr)+1] = '\000';    /* append two '\000' */
+       ptr[strlen(ptr)+1] = '\000';    /* append 2nd '\000' */
     }
     if (!strcmp(p, "-m")) {
        char *filename, *command;