The data used in strcpy is partially provided by the user. This can be larger than the destination buffer and thus overwrite data after the actual string buffer. This can easily be avoided by using strncpy.
Signed-off-by: Sven Eckelmann sven@narfation.org --- debugfs.c | 4 +++- ioctl.c | 3 ++- 2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/debugfs.c b/debugfs.c index 8dd78b1..7bac044 100644 --- a/debugfs.c +++ b/debugfs.c @@ -74,7 +74,9 @@ const char *debugfs_find_mountpoint(void) while (*ptr) { if (debugfs_valid_mountpoint(*ptr) == 0) { debugfs_found = 1; - strcpy(debugfs_mountpoint, *ptr); + strncpy(debugfs_mountpoint, *ptr, + sizeof(debugfs_mountpoint)); + debugfs_mountpoint[sizeof(debugfs_mountpoint) - 1] = 0; return debugfs_mountpoint; } ptr++; diff --git a/ioctl.c b/ioctl.c index 1f827e8..d3d182f 100644 --- a/ioctl.c +++ b/ioctl.c @@ -105,7 +105,8 @@ int ioctl_statistics_get(char *mesh_iface) int fd = -1, ret = EXIT_FAILURE;
memset(&ifr, 0, sizeof(ifr)); - strcpy(ifr.ifr_name, mesh_iface); + strncpy(ifr.ifr_name, mesh_iface, sizeof(ifr.ifr_name)); + ifr.ifr_name[sizeof(ifr.ifr_name) - 1] = '\0';
fd = socket(AF_INET, SOCK_DGRAM, 0); if (fd < 0) {