[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
1-byte buffer overflows
From: |
Pekka Savola |
Subject: |
1-byte buffer overflows |
Date: |
Sun, 8 Jul 2001 01:54:26 +0300 (EEST) |
Hi,
if the read data is too long, sscanf will read 16 bytes and append a
terminating NULL, causing 1 byte of corrupted memory.
For what it's worth, not using buffer boundary checks (sprintf, strcat,
strcpy etc. instead of snprintf etc.) in the code is way bound for
disaster sooner or later. If architectures lacking these are supported,
I'd probably add a support library consisting of these functions as e.g.
OpenSSH does.
Index: src/rcs.c
===================================================================
RCS file: /cvsroot/ccvs/src/rcs.c,v
retrieving revision 1.251
diff -u -r1.251 rcs.c
--- src/rcs.c 5 Jul 2001 17:30:12 -0000 1.251
+++ src/rcs.c 7 Jul 2001 22:37:43 -0000
@@ -4343,7 +4343,7 @@
if (info != NULL)
{
/* If the size of `devtype' changes, fix the sscanf call also */
- char devtype[16];
+ char devtype[17];
if (sscanf (info->data, "%16s %lu",
devtype, &devnum_long) < 2)
Index: src/update.c
===================================================================
RCS file: /cvsroot/ccvs/src/update.c,v
retrieving revision 1.196
diff -u -r1.196 update.c
--- src/update.c 3 Jul 2001 13:05:34 -0000 1.196
+++ src/update.c 7 Jul 2001 22:37:43 -0000
@@ -2725,7 +2725,7 @@
else
{
/* If the size of `ftype' changes, fix the sscanf call also */
- char ftype[16];
+ char ftype[17];
if (sscanf (n->data, "%16s %lu", ftype,
&dev_long) < 2)
error (1, 0, "%s:%s has bad `special' newphrase %s",
@@ -2803,7 +2803,7 @@
else
{
/* If the size of `ftype' changes, fix the sscanf call also */
- char ftype[16];
+ char ftype[17];
if (sscanf (n->data, "%16s %lu", ftype,
&dev_long) < 2)
error (1, 0, "%s:%s has bad `special' newphrase %s",
--
Pekka Savola "Tell me of difficulties surmounted,
Netcore Oy not those you stumble over and fall"
Systems. Networks. Security. -- Robert Jordan: A Crown of Swords
- 1-byte buffer overflows,
Pekka Savola <=