libatm overflows
Scott Ullrich
geekgod at geekgod.com
Thu Sep 23 13:21:15 PDT 2004
Commited!
Scott
Christer Öberg wrote:
There are some overflows in libatm, see attached diffs.
------------------------------------------------------------------------
--- lib/libatm/ioctl_subr.c 2004-09-23 22:46:46.000000000 +0200
+++ lib/libatm/ioctl_subr.new 2004-09-23 22:42:25.000000000 +0200
@@ -164,7 +164,7 @@
air.air_opcode = AIOCS_INF_VCC;
UM_ZERO(air.air_vcc_intf, sizeof(air.air_vcc_intf));
if (intf != NULL && strlen(intf) != 0)
- strcpy(air.air_vcc_intf, intf);
+ strlcpy(air.air_vcc_intf, intf, IFNAMSIZ);
buf_len = do_info_ioctl(&air, buf_len);
@@ -384,7 +384,7 @@
air.air_opcode = AIOCS_INF_CFG;
UM_ZERO ( air.air_cfg_intf, sizeof(air.air_cfg_intf));
if ( intf != NULL && strlen(intf) != 0 )
- strcpy ( air.air_cfg_intf, intf );
+ strlcpy ( air.air_cfg_intf, intf, IFNAMSIZ );
buf_len = do_info_ioctl ( &air, buf_len );
@@ -422,7 +422,7 @@
air.air_opcode = AIOCS_INF_INT;
UM_ZERO ( air.air_int_intf, sizeof(air.air_int_intf));
if ( intf != NULL && strlen(intf) != 0 )
- strcpy ( air.air_int_intf, intf );
+ strlcpy ( air.air_int_intf, intf, IFNAMSIZ );
buf_len = do_info_ioctl ( &air, buf_len );
@@ -461,7 +461,7 @@
air.air_opcode = AIOCS_INF_NIF;
UM_ZERO ( air.air_int_intf, sizeof(air.air_int_intf) );
if ( intf != NULL && strlen(intf) != 0 )
- strcpy ( air.air_int_intf, intf );
+ strlcpy ( air.air_int_intf, intf, IFNAMSIZ );
buf_len = do_info_ioctl ( &air, buf_len );
------------------------------------------------------------------------
--- lib/libatm/ip_addr.c 2004-09-23 22:46:40.000000000 +0200
+++ lib/libatm/ip_addr.new 2004-09-23 22:42:50.000000000 +0200
@@ -122,7 +122,7 @@
format_ip_addr(addr)
struct in_addr *addr;
{
- static char host_name[128];
+ static char host_name[MAXHOSTNAMELEN + 18];
char *ip_num;
struct hostent *ip_host;
@@ -152,11 +152,9 @@
/*
* Return host name followed by dotted decimal address
*/
- strcpy(host_name, ip_host->h_name);
- strcat(host_name, " (");
- strcat(host_name, ip_num);
- strcat(host_name, ")");
- return(host_name);
+ snprintf(host_name, sizeof(host_name), "%s (%s)",
+ ip_host->h_name, ip_num);
+ return (host_name);
} else {
/*
* No host name -- just return dotted decimal address
More information about the Bugs
mailing list