[commits] [batctl] next: batctl: Fix possible buffer overflow when using strncat (f1e262c)

postmaster at open-mesh.org postmaster at open-mesh.org
Wed Sep 11 12:49:32 CEST 2013


Repository : ssh://git@open-mesh.org/batctl

On branch  : next

>---------------------------------------------------------------

commit f1e262c80941ab1b4342999cd200840db6683a62
Author: Sven Eckelmann <sven at narfation.org>
Date:   Tue Sep 10 23:11:52 2013 +0200

    batctl: Fix possible buffer overflow when using strncat
    
    The length field (n) of strncat is used to specify the length of the buffer
    without the \0 delimiter. strncat will add it even when it will write it to the
    limit of n bytes was written.
    
    Signed-off-by: Sven Eckelmann <sven at narfation.org>
    Signed-off-by: Marek Lindner <mareklindner at neomailbox.ch>


>---------------------------------------------------------------

f1e262c80941ab1b4342999cd200840db6683a62
 bat-hosts.c |    2 +-
 functions.c |    4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/bat-hosts.c b/bat-hosts.c
index 04e7a9b..f0adb9c 100644
--- a/bat-hosts.c
+++ b/bat-hosts.c
@@ -194,7 +194,7 @@ void bat_hosts_init(int read_opt)
 
 			strncpy(confdir, homedir, CONF_DIR_LEN);
 			confdir[CONF_DIR_LEN - 1] = '\0';
-			strncat(confdir, &bat_hosts_path[i][1], CONF_DIR_LEN - strlen(confdir));
+			strncat(confdir, &bat_hosts_path[i][1], CONF_DIR_LEN - strlen(confdir) - 1);
 		} else {
 			strncpy(confdir, bat_hosts_path[i], CONF_DIR_LEN);
 			confdir[CONF_DIR_LEN - 1] = '\0';
diff --git a/functions.c b/functions.c
index cc05a48..0359287 100644
--- a/functions.c
+++ b/functions.c
@@ -180,7 +180,7 @@ int read_file(char *dir, char *fname, int read_opt,
 
 	strncpy(full_path, dir, strlen(dir));
 	full_path[strlen(dir)] = '\0';
-	strncat(full_path, fname, sizeof(full_path) - strlen(full_path));
+	strncat(full_path, fname, sizeof(full_path) - strlen(full_path) - 1);
 
 open:
 	line = 0;
@@ -305,7 +305,7 @@ int write_file(char *dir, char *fname, char *arg1, char *arg2)
 
 	strncpy(full_path, dir, strlen(dir));
 	full_path[strlen(dir)] = '\0';
-	strncat(full_path, fname, sizeof(full_path) - strlen(full_path));
+	strncat(full_path, fname, sizeof(full_path) - strlen(full_path) - 1);
 
 	fd = open(full_path, O_WRONLY);
 



More information about the commits mailing list