From owner-cvs-lib Mon Mar 17 12:27:45 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id MAA02628 for cvs-lib-outgoing; Mon, 17 Mar 1997 12:27:45 -0800 (PST) Received: from gvr.win.tue.nl (root@gvr.win.tue.nl [131.155.210.19]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id MAA02474; Mon, 17 Mar 1997 12:24:11 -0800 (PST) Received: (from guido@localhost) by gvr.win.tue.nl (8.8.5/8.8.2) id VAA15757; Mon, 17 Mar 1997 21:23:52 +0100 (MET) From: Guido van Rooij Message-Id: <199703172023.VAA15757@gvr.win.tue.nl> Subject: Re: cvs commit: src/lib/libtermcap tgoto.c In-Reply-To: <199703170930.BAA01864@freefall.freebsd.org> from Eivind Eklund at "Mar 17, 97 01:30:23 am" To: eivind@freefall.freebsd.org (Eivind Eklund) Date: Mon, 17 Mar 1997 21:23:52 +0100 (MET) Cc: CVS-committers@freefall.freebsd.org, cvs-all@freefall.freebsd.org, cvs-lib@freefall.freebsd.org X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-cvs-lib@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Eivind Eklund wrote: > eivind 97/03/17 01:30:22 > > Modified: lib/libtermcap tgoto.c > Log: > Buffer overflow fix - closes PR bin/2983 for -current. Should really > go into 2.2.0 Release, even at the present time. Problem spotted by > Tero Kivinen - was in BugTraq today :-( Shouln't you \0-terminate the copied string? This was suggested in the same article. Further, there is a strcpy on the end. That should also be fixed. I think the if statements should be something like: if (dp >= &result[MAXRETURNSIZE-1]) The strpcy should be: strncpy(dp, added, sizeof(result) - (dp - result) - 1); The '\0' will automatically be always in place because it is in the bss and it's never overwritten. -Guido