From owner-cvs-all@FreeBSD.ORG  Sat Aug 16 12:56:42 2003
Return-Path: <owner-cvs-all@FreeBSD.ORG>
Delivered-To: cvs-all@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 7027837B401; Sat, 16 Aug 2003 12:56:42 -0700 (PDT)
Received: from milla.ask33.net (milla.ask33.net [217.197.166.60])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 73A1143F3F; Sat, 16 Aug 2003 12:56:41 -0700 (PDT)
	(envelope-from nick@milla.ask33.net)
Received: by milla.ask33.net (Postfix, from userid 1001)
	id 75C9D3ABB3F; Sat, 16 Aug 2003 21:56:58 +0200 (CEST)
Date: Sat, 16 Aug 2003 21:56:57 +0200
From: Pawel Jakub Dawidek <nick@garage.freebsd.pl>
To: Hajimu UMEMOTO <ume@FreeBSD.org>
Message-ID: <20030816195657.GV395@garage.freebsd.pl>
References: <200308161900.h7GJ0W66093273@repoman.freebsd.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
	protocol="application/pgp-signature"; boundary="2zue9K3IhLF/3KAd"
Content-Disposition: inline
In-Reply-To: <200308161900.h7GJ0W66093273@repoman.freebsd.org>
X-PGP-Key-URL: http://garage.freebsd.pl/jules.asc
X-OS: FreeBSD 4.8-RELEASE-p3 i386
X-URL: http://garage.freebsd.pl
User-Agent: Mutt/1.5.1i
cc: cvs-src@FreeBSD.org
cc: src-committers@FreeBSD.org
cc: cvs-all@FreeBSD.org
Subject: Re: cvs commit: src/usr.sbin/rtsold if.c
X-BeenThere: cvs-all@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: CVS commit messages for the entire tree <cvs-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/cvs-all>
List-Post: <mailto:cvs-all@freebsd.org>
List-Help: <mailto:cvs-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Aug 2003 19:56:42 -0000


--2zue9K3IhLF/3KAd
Content-Type: text/plain; charset=iso-8859-2
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Aug 16, 2003 at 12:00:32PM -0700, Hajimu UMEMOTO wrote:
[...]
+>   - use strncpy just in case.
[...]
+> @@ -333,7 +333,7 @@ get_llflag(const char *name)
+>  			continue;
+> =20
+>  		memset(&ifr6, 0, sizeof(ifr6));
+> -		strcpy(ifr6.ifr_name, name);
+> +		strncpy(ifr6.ifr_name, name, sizeof(ifr6.ifr_name));
+>  		memcpy(&ifr6.ifr_ifru.ifru_addr, sin6, sin6->sin6_len);
+>  		if (ioctl(s, SIOCGIFAFLAG_IN6, &ifr6) < 0) {
+>  			warnmsg(LOG_ERR, __func__,

If so, this should be:

	strncpy(ifr6.ifr_name, name, sizeof(ifr6.ifr_name) - 1);
or even better:
	strlcpy(ifr6.ifr_name, name, sizeof(ifr6.ifr_name));

There will be no overflow here direct, but there could be when it will
be used in such scenario:

struct sfoo {
	char	buf[<x>];
	int	bar;
} foo;

	memset(&foo, 0, sizeof(foo));
	strncpy(foo.buf, "string x or more chars long", sizeof(foo.buf));
	foo.bar =3D <value !=3D 0>;
	[...]
	char *p;
	[...]
	p =3D malloc(sizeof(foo.bar));
	strcpy(p, foo.bar);	/* overflow */

And of course strlen(3) could also ends after foo.bar and all foo value
in that case.

--=20
Pawel Jakub Dawidek                       pawel@dawidek.net
UNIX Systems Programmer/Administrator     http://garage.freebsd.pl
Am I Evil? Yes, I Am!                     http://cerber.sourceforge.net

--2zue9K3IhLF/3KAd
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)

iQCVAwUBPz6MiT/PhmMH/Mf1AQH02AP/dJVyZfljx8353Rbj6wCsLV/EWxTNANfh
Q9/jJY3jO7NkVX8QzHhgkNbB5PF1HDbnjgnjy+DGYKBRBPktWSsBpds3c3Pumir9
X83mSGA0G66RDma9p3nlgeUUPqQlx4s7kpZ/2qYwOc7+fp6MlSoec4HztWSKq19B
ltM7fCpi/7I=
=/C21
-----END PGP SIGNATURE-----

--2zue9K3IhLF/3KAd--