Date: Wed, 31 Jan 2001 08:09:21 -0600 From: "Jacques A. Vidrine" <n@nectar.com> To: Mike Heffner <mheffner@vt.edu> Cc: FreeBSD-audit <FreeBSD-audit@freebsd.org> Subject: Re: patch for libc/net/hesiod.c Message-ID: <20010131080920.A4720@hamlet.nectar.com> In-Reply-To: <XFMail.20010130230121.mheffner@vt.edu>; from mheffner@vt.edu on Tue, Jan 30, 2001 at 11:01:21PM -0500 References: <XFMail.20010130230121.mheffner@vt.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jan 30, 2001 at 11:01:21PM -0500, Mike Heffner wrote:
> This patch fixes some string overflow issues in the hesiod(3)
> functions in libc.
Thanks! You may also want to send this to <hesiod@MIT.EDU>,
since that's where the code originates. Of course, strlcpy/strlcat
may be something of a portability problem for them.
> Reviews?
>
>
> Index: hesiod.c
> ===================================================================
> RCS file: /home/ncvs/src/lib/libc/net/hesiod.c,v
> retrieving revision 1.3
> diff -u -r1.3 hesiod.c
> --- hesiod.c 2000/09/30 17:29:54 1.3
> +++ hesiod.c 2001/01/31 03:13:37
> @@ -162,7 +162,7 @@
> const char *rhs;
> int len;
>
> - strcpy(bindname, name);
> + strlcpy(bindname, name, sizeof(bindname));
How come no one checks for truncation? This should be e.g.
if (strlcpy(bindname, name, sizeof(bindname)) >= sizeof(bindname))
return NULL;
[snip]
Cheers,
--
Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010131080920.A4720>