potential buffer overrun in innd/art.c due to strlcpy misuse
Paul Eggert
eggert at cs.ucla.edu
Sat Jan 23 11:04:45 UTC 2016
Russ Allbery mentioned that INN uses strlcpy and strlcat, and I looked through
the code by hand to see how well that was working out. I noticed that all uses
ignored the returned value, except for one place in innd/art.c. Unfortunately
that usage assumes that strlcpy returns strlen(dst) afterwards, but strlcpy
actually returns strlen(src). This looks like it could lead to a buffer overrun.
Also, the code does not appear to ensure that the result is null-terminated
(this is due to its appending ' ' without checking whether the space fits).
Proposed untested patch attached.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: inn.diff
Type: text/x-diff
Size: 789 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/inn-workers/attachments/20160123/082fd7aa/attachment.bin>
More information about the inn-workers
mailing list