diff options
| author | Damien Miller <djm@mindrot.org> | 2000-09-26 13:10:37 +1100 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2000-09-26 13:10:37 +1100 |
| commit | e772b684ccb1d7e8507059ba9cd86b1bc0c8609a (patch) | |
| tree | ea23a3ac0cf7d17c78cb574dfa3d227fb08d8f30 | |
| parent | b2033a41a171641e52cc7ed942d9928470a8bbd2 (diff) | |
- (djm) Security: fix off-by-one buffer overrun in fake-getnameinfo.c.
Report and fix from Pavel Kankovsky <peak@argo.troja.mff.cuni.cz>
| -rw-r--r-- | ChangeLog | 4 | ||||
| -rw-r--r-- | fake-getnameinfo.c | 10 |
2 files changed, 8 insertions, 6 deletions
| @@ -1,6 +1,8 @@ | |||
| 1 | 20000926 | 1 | 20000926 |
| 2 | - (djm) Update X11-askpass to 1.0.2 in RPM spec file | 2 | - (djm) Update X11-askpass to 1.0.2 in RPM spec file |
| 3 | - (djm) Define _REENTRANT | 3 | - (djm) Define _REENTRANT to pickup strtok_r() on HP/UX |
| 4 | - (djm) Security: fix off-by-one buffer overrun in fake-getnameinfo.c. | ||
| 5 | Report and fix from Pavel Kankovsky <peak@argo.troja.mff.cuni.cz> | ||
| 4 | 6 | ||
| 5 | 20000924 | 7 | 20000924 |
| 6 | - (djm) Merged cleanup patch from Mark Miller <markm@swoon.net> | 8 | - (djm) Merged cleanup patch from Mark Miller <markm@swoon.net> |
diff --git a/fake-getnameinfo.c b/fake-getnameinfo.c index 867cf90b5..7b0098158 100644 --- a/fake-getnameinfo.c +++ b/fake-getnameinfo.c | |||
| @@ -25,15 +25,15 @@ int getnameinfo(const struct sockaddr *sa, size_t salen, char *host, | |||
| 25 | if (strlen(tmpserv) > servlen) | 25 | if (strlen(tmpserv) > servlen) |
| 26 | return EAI_MEMORY; | 26 | return EAI_MEMORY; |
| 27 | else | 27 | else |
| 28 | strcpy(serv, tmpserv); | 28 | strlcpy(serv, tmpserv, servlen); |
| 29 | } | 29 | } |
| 30 | 30 | ||
| 31 | if (host) { | 31 | if (host) { |
| 32 | if (flags & NI_NUMERICHOST) { | 32 | if (flags & NI_NUMERICHOST) { |
| 33 | if (strlen(inet_ntoa(sin->sin_addr)) > hostlen) | 33 | if (strlen(inet_ntoa(sin->sin_addr)) >= hostlen) |
| 34 | return EAI_MEMORY; | 34 | return EAI_MEMORY; |
| 35 | 35 | ||
| 36 | strcpy(host, inet_ntoa(sin->sin_addr)); | 36 | strlcpy(host, inet_ntoa(sin->sin_addr), hostlen); |
| 37 | return 0; | 37 | return 0; |
| 38 | } else { | 38 | } else { |
| 39 | hp = gethostbyaddr((char *)&sin->sin_addr, | 39 | hp = gethostbyaddr((char *)&sin->sin_addr, |
| @@ -41,10 +41,10 @@ int getnameinfo(const struct sockaddr *sa, size_t salen, char *host, | |||
| 41 | if (hp == NULL) | 41 | if (hp == NULL) |
| 42 | return EAI_NODATA; | 42 | return EAI_NODATA; |
| 43 | 43 | ||
| 44 | if (strlen(hp->h_name) > hostlen) | 44 | if (strlen(hp->h_name) >= hostlen) |
| 45 | return EAI_MEMORY; | 45 | return EAI_MEMORY; |
| 46 | 46 | ||
| 47 | strcpy(host, hp->h_name); | 47 | strlcpy(host, hp->h_name, hostlen); |
| 48 | return 0; | 48 | return 0; |
| 49 | } | 49 | } |
| 50 | } | 50 | } |