Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 16 Aug 2003 21:56:57 +0200
From:      Pawel Jakub Dawidek <nick@garage.freebsd.pl>
To:        Hajimu UMEMOTO <ume@FreeBSD.org>
Cc:        cvs-all@FreeBSD.org
Subject:   Re: cvs commit: src/usr.sbin/rtsold if.c
Message-ID:  <20030816195657.GV395@garage.freebsd.pl>
In-Reply-To: <200308161900.h7GJ0W66093273@repoman.freebsd.org>
References:  <200308161900.h7GJ0W66093273@repoman.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help 

--2zue9K3IhLF/3KAd
Content-Type: text/plain; charset=iso-8859-2
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Aug 16, 2003 at 12:00:32PM -0700, Hajimu UMEMOTO wrote:
[...]
+>   - use strncpy just in case.
[...]
+> @@ -333,7 +333,7 @@ get_llflag(const char *name)
+>  			continue;
+> =20
+>  		memset(&ifr6, 0, sizeof(ifr6));
+> -		strcpy(ifr6.ifr_name, name);
+> +		strncpy(ifr6.ifr_name, name, sizeof(ifr6.ifr_name));
+>  		memcpy(&ifr6.ifr_ifru.ifru_addr, sin6, sin6->sin6_len);
+>  		if (ioctl(s, SIOCGIFAFLAG_IN6, &ifr6) < 0) {
+>  			warnmsg(LOG_ERR, __func__,

If so, this should be:

	strncpy(ifr6.ifr_name, name, sizeof(ifr6.ifr_name) - 1);
or even better:
	strlcpy(ifr6.ifr_name, name, sizeof(ifr6.ifr_name));

There will be no overflow here direct, but there could be when it will
be used in such scenario:

struct sfoo {
	char	buf[<x>];
	int	bar;
} foo;

	memset(&foo, 0, sizeof(foo));
	strncpy(foo.buf, "string x or more chars long", sizeof(foo.buf));
	foo.bar =3D <value !=3D 0>;
	[...]
	char *p;
	[...]
	p =3D malloc(sizeof(foo.bar));
	strcpy(p, foo.bar);	/* overflow */

And of course strlen(3) could also ends after foo.bar and all foo value
in that case.

--=20
Pawel Jakub Dawidek                       pawel@dawidek.net
UNIX Systems Programmer/Administrator     http://garage.freebsd.pl
Am I Evil? Yes, I Am!                     http://cerber.sourceforge.net

--2zue9K3IhLF/3KAd
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)

iQCVAwUBPz6MiT/PhmMH/Mf1AQH02AP/dJVyZfljx8353Rbj6wCsLV/EWxTNANfh
Q9/jJY3jO7NkVX8QzHhgkNbB5PF1HDbnjgnjy+DGYKBRBPktWSsBpds3c3Pumir9
X83mSGA0G66RDma9p3nlgeUUPqQlx4s7kpZ/2qYwOc7+fp6MlSoec4HztWSKq19B
ltM7fCpi/7I=
=/C21
-----END PGP SIGNATURE-----

--2zue9K3IhLF/3KAd--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030816195657.GV395>