potential buffer overrun in innd/art.c due to strlcpy misuse

Paul Eggert eggert at cs.ucla.edu
Sat Jan 23 11:04:45 UTC 2016

Russ Allbery mentioned that INN uses strlcpy and strlcat, and I looked through 
the code by hand to see how well that was working out. I noticed that all uses 
ignored the returned value, except for one place in innd/art.c. Unfortunately 
that usage assumes that strlcpy returns strlen(dst) afterwards, but strlcpy 
actually returns strlen(src). This looks like it could lead to a buffer overrun. 
Also, the code does not appear to ensure that the result is null-terminated 
(this is due to its appending ' ' without checking whether the space fits).

Proposed untested patch attached.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: inn.diff
Type: text/x-diff
Size: 789 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/inn-workers/attachments/20160123/082fd7aa/attachment.bin>

More information about the inn-workers mailing list