libatm overflows

Christer Öberg christer.oberg at ornsat.com
Thu Sep 23 13:09:11 PDT 2004


There are some overflows in libatm, see attached diffs.


--- lib/libatm/ioctl_subr.c	2004-09-23 22:46:46.000000000 +0200
+++ lib/libatm/ioctl_subr.new	2004-09-23 22:42:25.000000000 +0200
@@ -164,7 +164,7 @@
 	air.air_opcode = AIOCS_INF_VCC;
 	UM_ZERO(air.air_vcc_intf, sizeof(air.air_vcc_intf));
 	if (intf != NULL && strlen(intf) != 0)
-		strcpy(air.air_vcc_intf, intf);
+		strlcpy(air.air_vcc_intf, intf, IFNAMSIZ);
 
 	buf_len = do_info_ioctl(&air, buf_len);
 
@@ -384,7 +384,7 @@
         air.air_opcode = AIOCS_INF_CFG;
         UM_ZERO ( air.air_cfg_intf, sizeof(air.air_cfg_intf));
         if ( intf != NULL && strlen(intf) != 0 )
-                strcpy ( air.air_cfg_intf, intf );
+                strlcpy ( air.air_cfg_intf, intf, IFNAMSIZ );
 
         buf_len = do_info_ioctl ( &air, buf_len );
 
@@ -422,7 +422,7 @@
         air.air_opcode = AIOCS_INF_INT;
         UM_ZERO ( air.air_int_intf, sizeof(air.air_int_intf));
         if ( intf != NULL && strlen(intf) != 0 )
-                strcpy ( air.air_int_intf, intf );
+                strlcpy ( air.air_int_intf, intf, IFNAMSIZ );
 
         buf_len = do_info_ioctl ( &air, buf_len );
  
@@ -461,7 +461,7 @@
         air.air_opcode = AIOCS_INF_NIF;
         UM_ZERO ( air.air_int_intf, sizeof(air.air_int_intf) );
         if ( intf != NULL && strlen(intf) != 0 )
-                strcpy ( air.air_int_intf, intf );
+                strlcpy ( air.air_int_intf, intf, IFNAMSIZ );
 
         buf_len = do_info_ioctl ( &air, buf_len );
 
--- lib/libatm/ip_addr.c	2004-09-23 22:46:40.000000000 +0200
+++ lib/libatm/ip_addr.new	2004-09-23 22:42:50.000000000 +0200
@@ -122,7 +122,7 @@
 format_ip_addr(addr)
 	struct in_addr	*addr;
 {
-	static char	host_name[128];
+	static char	host_name[MAXHOSTNAMELEN + 18];
 	char		*ip_num;
 	struct hostent	*ip_host;
 
@@ -152,11 +152,9 @@
 		/*
 		 * Return host name followed by dotted decimal address
 		 */
-		strcpy(host_name, ip_host->h_name);
-		strcat(host_name, " (");
-		strcat(host_name, ip_num);
-		strcat(host_name, ")");
-		return(host_name);
+		snprintf(host_name, sizeof(host_name), "%s (%s)",
+			ip_host->h_name, ip_num);
+		return (host_name);
 	} else {
 		/*
 		 * No host name -- just return dotted decimal address




More information about the Bugs mailing list