diff options
author | Damien Miller <djm@mindrot.org> | 2000-09-26 13:10:37 +1100 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2000-09-26 13:10:37 +1100 |
commit | e772b684ccb1d7e8507059ba9cd86b1bc0c8609a (patch) | |
tree | ea23a3ac0cf7d17c78cb574dfa3d227fb08d8f30 /fake-getnameinfo.c | |
parent | b2033a41a171641e52cc7ed942d9928470a8bbd2 (diff) |
- (djm) Security: fix off-by-one buffer overrun in fake-getnameinfo.c.
Report and fix from Pavel Kankovsky <peak@argo.troja.mff.cuni.cz>
Diffstat (limited to 'fake-getnameinfo.c')
-rw-r--r-- | fake-getnameinfo.c | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/fake-getnameinfo.c b/fake-getnameinfo.c index 867cf90b5..7b0098158 100644 --- a/fake-getnameinfo.c +++ b/fake-getnameinfo.c | |||
@@ -25,15 +25,15 @@ int getnameinfo(const struct sockaddr *sa, size_t salen, char *host, | |||
25 | if (strlen(tmpserv) > servlen) | 25 | if (strlen(tmpserv) > servlen) |
26 | return EAI_MEMORY; | 26 | return EAI_MEMORY; |
27 | else | 27 | else |
28 | strcpy(serv, tmpserv); | 28 | strlcpy(serv, tmpserv, servlen); |
29 | } | 29 | } |
30 | 30 | ||
31 | if (host) { | 31 | if (host) { |
32 | if (flags & NI_NUMERICHOST) { | 32 | if (flags & NI_NUMERICHOST) { |
33 | if (strlen(inet_ntoa(sin->sin_addr)) > hostlen) | 33 | if (strlen(inet_ntoa(sin->sin_addr)) >= hostlen) |
34 | return EAI_MEMORY; | 34 | return EAI_MEMORY; |
35 | 35 | ||
36 | strcpy(host, inet_ntoa(sin->sin_addr)); | 36 | strlcpy(host, inet_ntoa(sin->sin_addr), hostlen); |
37 | return 0; | 37 | return 0; |
38 | } else { | 38 | } else { |
39 | hp = gethostbyaddr((char *)&sin->sin_addr, | 39 | hp = gethostbyaddr((char *)&sin->sin_addr, |
@@ -41,10 +41,10 @@ int getnameinfo(const struct sockaddr *sa, size_t salen, char *host, | |||
41 | if (hp == NULL) | 41 | if (hp == NULL) |
42 | return EAI_NODATA; | 42 | return EAI_NODATA; |
43 | 43 | ||
44 | if (strlen(hp->h_name) > hostlen) | 44 | if (strlen(hp->h_name) >= hostlen) |
45 | return EAI_MEMORY; | 45 | return EAI_MEMORY; |
46 | 46 | ||
47 | strcpy(host, hp->h_name); | 47 | strlcpy(host, hp->h_name, hostlen); |
48 | return 0; | 48 | return 0; |
49 | } | 49 | } |
50 | } | 50 | } |