bug-cvs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

1-byte buffer overflows

From: Pekka Savola
Subject: 1-byte buffer overflows
Date: Sun, 8 Jul 2001 01:54:26 +0300 (EEST) 
Hi,

if the read data is too long, sscanf will read 16 bytes and append a
terminating NULL, causing 1 byte of corrupted memory.

For what it's worth, not using buffer boundary checks (sprintf, strcat,
strcpy etc. instead of snprintf etc.) in the code is way bound for
disaster sooner or later.  If architectures lacking these are supported,
I'd probably add a support library consisting of these functions as e.g.
OpenSSH does.

Index: src/rcs.c
===================================================================
RCS file: /cvsroot/ccvs/src/rcs.c,v
retrieving revision 1.251
diff -u -r1.251 rcs.c
--- src/rcs.c   5 Jul 2001 17:30:12 -0000       1.251
+++ src/rcs.c   7 Jul 2001 22:37:43 -0000
@@ -4343,7 +4343,7 @@
        if (info != NULL)
        {
            /* If the size of `devtype' changes, fix the sscanf call also */
-           char devtype[16];
+           char devtype[17];

            if (sscanf (info->data, "%16s %lu",
                        devtype, &devnum_long) < 2)
Index: src/update.c
===================================================================
RCS file: /cvsroot/ccvs/src/update.c,v
retrieving revision 1.196
diff -u -r1.196 update.c
--- src/update.c        3 Jul 2001 13:05:34 -0000       1.196
+++ src/update.c        7 Jul 2001 22:37:43 -0000
@@ -2725,7 +2725,7 @@
            else
            {
                /* If the size of `ftype' changes, fix the sscanf call also */
-               char ftype[16];
+               char ftype[17];
                if (sscanf (n->data, "%16s %lu", ftype,
                            &dev_long) < 2)
                    error (1, 0, "%s:%s has bad `special' newphrase %s",
@@ -2803,7 +2803,7 @@
            else
            {
                /* If the size of `ftype' changes, fix the sscanf call also */
-               char ftype[16];
+               char ftype[17];
                if (sscanf (n->data, "%16s %lu", ftype,
                            &dev_long) < 2)
                    error (1, 0, "%s:%s has bad `special' newphrase %s",

-- 
Pekka Savola                 "Tell me of difficulties surmounted,
Netcore Oy                   not those you stumble over and fall"
Systems. Networks. Security.  -- Robert Jordan: A Crown of Swords
reply via email to
[Prev in Thread] Current Thread [Next in Thread]