BugTraq
Back to list
|
Post reply
Re: cdp buffer overflow vulnerability
Mar 31 2004 09:45PM
Vade 79 (v9 fakehalo deadpig org)
In-Reply-To: <20040331161611.75451.qmail (at) web25104.mail.ukl.yahoo (dot) com [email concealed]>
for the patch you provided you should use sizeof(buffer), not strlen(buffer) (or 200) to limit the amount written to buffer[].
>--- songname.patch ---
>
>--- cdp.c 2004-03-31 15:48:55.000000000 +0100
>+++ cdp.1.c 2004-03-31 15:44:35.000000000 +0100
>@@ -154,7 +154,7 @@
> for ( ind = 0; ind < cdStatus.thiscd.ntracks;
>ind++ ) {
> trk = &cdStatus.thiscd.trk[ ind ];
> if ( trk->songname != NULL ) {
>- sprintf( buffer, "%s", trk->songname );
>+ snprintf( buffer, strlen(buffer), "%s",
>trk->songname );
> } else
> buffer[ 0 ] = 0;
>
>
>--- eof ---
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
for the patch you provided you should use sizeof(buffer), not strlen(buffer) (or 200) to limit the amount written to buffer[].
>--- songname.patch ---
>
>--- cdp.c 2004-03-31 15:48:55.000000000 +0100
>+++ cdp.1.c 2004-03-31 15:44:35.000000000 +0100
>@@ -154,7 +154,7 @@
> for ( ind = 0; ind < cdStatus.thiscd.ntracks;
>ind++ ) {
> trk = &cdStatus.thiscd.trk[ ind ];
> if ( trk->songname != NULL ) {
>- sprintf( buffer, "%s", trk->songname );
>+ snprintf( buffer, strlen(buffer), "%s",
>trk->songname );
> } else
> buffer[ 0 ] = 0;
>
>
>--- eof ---
[ reply ]