Repository : ssh://git@open-mesh.org/batctl

On branch : next

commit f1e262c80941ab1b4342999cd200840db6683a62 Author: Sven Eckelmann sven@narfation.org Date: Tue Sep 10 23:11:52 2013 +0200

batctl: Fix possible buffer overflow when using strncat

The length field (n) of strncat is used to specify the length of the buffer without the \0 delimiter. strncat will add it even when it will write it to the limit of n bytes was written.

Signed-off-by: Sven Eckelmann sven@narfation.org Signed-off-by: Marek Lindner mareklindner@neomailbox.ch

f1e262c80941ab1b4342999cd200840db6683a62 bat-hosts.c | 2 +- functions.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/bat-hosts.c b/bat-hosts.c index 04e7a9b..f0adb9c 100644 --- a/bat-hosts.c +++ b/bat-hosts.c @@ -194,7 +194,7 @@ void bat_hosts_init(int read_opt)

strncpy(confdir, homedir, CONF_DIR_LEN); confdir[CONF_DIR_LEN - 1] = '\0'; - strncat(confdir, &bat_hosts_path[i][1], CONF_DIR_LEN - strlen(confdir)); + strncat(confdir, &bat_hosts_path[i][1], CONF_DIR_LEN - strlen(confdir) - 1); } else { strncpy(confdir, bat_hosts_path[i], CONF_DIR_LEN); confdir[CONF_DIR_LEN - 1] = '\0'; diff --git a/functions.c b/functions.c index cc05a48..0359287 100644 --- a/functions.c +++ b/functions.c @@ -180,7 +180,7 @@ int read_file(char *dir, char *fname, int read_opt,

strncpy(full_path, dir, strlen(dir)); full_path[strlen(dir)] = '\0'; - strncat(full_path, fname, sizeof(full_path) - strlen(full_path)); + strncat(full_path, fname, sizeof(full_path) - strlen(full_path) - 1);

open: line = 0; @@ -305,7 +305,7 @@ int write_file(char *dir, char *fname, char *arg1, char *arg2)

strncpy(full_path, dir, strlen(dir)); full_path[strlen(dir)] = '\0'; - strncat(full_path, fname, sizeof(full_path) - strlen(full_path)); + strncat(full_path, fname, sizeof(full_path) - strlen(full_path) - 1);

fd = open(full_path, O_WRONLY);