From 116f2044b2ed89f13b29a45f04aac7a7f01e446a Mon Sep 17 00:00:00 2001
From: jacob <jacob@cda61777-01e9-0310-a592-d414129be87e>
Date: Fri, 4 Mar 2005 01:54:56 +0000
Subject: [PATCH] Fix potential fault where -L/-R/-D could accept a string too
 long for our portfwd[] array. (Not sure what would happen in this case,
 mind.) Also modify -L/-R/-D code to cope with IPv4/IPv6 tunnels in saved
 settings.

git-svn-id: svn://svn.tartarus.org/sgt/putty@5440 cda61777-01e9-0310-a592-d414129be87e
---
 cmdline.c | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/cmdline.c b/cmdline.c
index d306959c..fdd95849 100644
--- a/cmdline.c
+++ b/cmdline.c
@@ -190,19 +190,20 @@ int cmdline_process_param(char *p, char *value, int need_save, Config *cfg)
 	dynamic = !strcmp(p, "-D");
 	fwd = value;
 	ptr = cfg->portfwd;
-	/* if multiple forwards, find end of list */
-	if (ptr[0]=='R' || ptr[0]=='L' || ptr[0] == 'D') {
-	    for (i = 0; i < sizeof(cfg->portfwd) - 2; i++)
-		if (ptr[i]=='\000' && ptr[i+1]=='\000')
-		    break;
-	    ptr = ptr + i + 1;  /* point to next forward slot */
+	/* if existing forwards, find end of list */
+	while (*ptr) {
+	    while (*ptr)
+		ptr++;
+	    ptr++;
 	}
+	i = ptr - cfg->portfwd;
 	ptr[0] = p[1];  /* insert a 'L', 'R' or 'D' at the start */
-	if (strlen(fwd) > sizeof(cfg->portfwd) - i - 2) {
+	ptr++;
+	if (1 + strlen(fwd) + 2 > sizeof(cfg->portfwd) - i) {
 	    cmdline_error("out of space for port forwardings");
 	    return ret;
 	}
-	strncpy(ptr+1, fwd, sizeof(cfg->portfwd) - i);
+	strncpy(ptr, fwd, sizeof(cfg->portfwd) - i - 2);
 	if (!dynamic) {
 	    /*
 	     * We expect _at least_ two colons in this string. The
@@ -224,7 +225,7 @@ int cmdline_process_param(char *p, char *value, int need_save, Config *cfg)
 	}
 	cfg->portfwd[sizeof(cfg->portfwd) - 1] = '\0';
 	cfg->portfwd[sizeof(cfg->portfwd) - 2] = '\0';
-	ptr[strlen(ptr)+1] = '\000';    /* append two '\000' */
+	ptr[strlen(ptr)+1] = '\000';    /* append 2nd '\000' */
     }
     if (!strcmp(p, "-m")) {
 	char *filename, *command;
-- 
2.11.0