Date: Mon, 17 Mar 1997 21:23:52 +0100 (MET) From: Guido van Rooij <guido@gvr.win.tue.nl> To: eivind@freefall.freebsd.org (Eivind Eklund) Cc: CVS-committers@freefall.freebsd.org, cvs-all@freefall.freebsd.org, cvs-lib@freefall.freebsd.org Subject: Re: cvs commit: src/lib/libtermcap tgoto.c Message-ID: <199703172023.VAA15757@gvr.win.tue.nl> In-Reply-To: <199703170930.BAA01864@freefall.freebsd.org> from Eivind Eklund at "Mar 17, 97 01:30:23 am"
next in thread | previous in thread | raw e-mail | index | archive | help
Eivind Eklund wrote: > eivind 97/03/17 01:30:22 > > Modified: lib/libtermcap tgoto.c > Log: > Buffer overflow fix - closes PR bin/2983 for -current. Should really > go into 2.2.0 Release, even at the present time. Problem spotted by > Tero Kivinen <kivinen@ssh.fi> - was in BugTraq today :-( Shouln't you \0-terminate the copied string? This was suggested in the same article. Further, there is a strcpy on the end. That should also be fixed. I think the if statements should be something like: if (dp >= &result[MAXRETURNSIZE-1]) The strpcy should be: strncpy(dp, added, sizeof(result) - (dp - result) - 1); The '\0' will automatically be always in place because it is in the bss and it's never overwritten. -Guido
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199703172023.VAA15757>