off-by-one errors in getnameinfo()
Pavel Kankovsky
peak at argo.troja.mff.cuni.cz
Tue Sep 26 09:27:27 EST 2000
Description:
getnameinfo() (confirmed for CVS version 1.14.2.1) does this sort of
buffer size checks (these is just two of many cases):
if (strlen(sp->s_name) > servlen)
return ENI_MEMORY;
strcpy(serv, sp->s_name);
...
if (strlen(hp->h_name) > hostlen) {
return ENI_MEMORY;
}
strcpy(host, hp->h_name);
i.e. it can write up to servlen / hostlen bytes PLUS a terminating zero.
This contradicts the manpage (and RFC 2533) as well as the way your own
programs appear to use it (at least OpenSSH and in.ftpd use sizeof() of a
buffer as servlen / hostlen).
Proposed fix:
Replace >'s with >='s.
Related problems:
The simpleminded implementation of getnameinfo() included in "portable
OpenSSH" is affected too.
--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."
More information about the openssh-unix-dev
mailing list