cvs commit: src/usr.sbin/rtsold if.c
Pawel Jakub Dawidek
nick at garage.freebsd.pl
Sat Aug 16 12:56:42 PDT 2003
On Sat, Aug 16, 2003 at 12:00:32PM -0700, Hajimu UMEMOTO wrote:
[...]
+> - use strncpy just in case.
[...]
+> @@ -333,7 +333,7 @@ get_llflag(const char *name)
+> continue;
+>
+> memset(&ifr6, 0, sizeof(ifr6));
+> - strcpy(ifr6.ifr_name, name);
+> + strncpy(ifr6.ifr_name, name, sizeof(ifr6.ifr_name));
+> memcpy(&ifr6.ifr_ifru.ifru_addr, sin6, sin6->sin6_len);
+> if (ioctl(s, SIOCGIFAFLAG_IN6, &ifr6) < 0) {
+> warnmsg(LOG_ERR, __func__,
If so, this should be:
strncpy(ifr6.ifr_name, name, sizeof(ifr6.ifr_name) - 1);
or even better:
strlcpy(ifr6.ifr_name, name, sizeof(ifr6.ifr_name));
There will be no overflow here direct, but there could be when it will
be used in such scenario:
struct sfoo {
char buf[<x>];
int bar;
} foo;
memset(&foo, 0, sizeof(foo));
strncpy(foo.buf, "string x or more chars long", sizeof(foo.buf));
foo.bar = <value != 0>;
[...]
char *p;
[...]
p = malloc(sizeof(foo.bar));
strcpy(p, foo.bar); /* overflow */
And of course strlen(3) could also ends after foo.bar and all foo value
in that case.
--
Pawel Jakub Dawidek pawel at dawidek.net
UNIX Systems Programmer/Administrator http://garage.freebsd.pl
Am I Evil? Yes, I Am! http://cerber.sourceforge.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/cvs-src/attachments/20030816/595accee/attachment.bin
More information about the cvs-src
mailing list