Re: Administrivia: List Announcement
From: Eric Haugh (haugh_at_cs.ucdavis.edu)
Date: 05/13/03
- Previous message: Gustavo Scotti: "RE: Administrivia: List Announcement"
- In reply to: xenophi1e: "Re: Administrivia: List Announcement"
- Next in thread: Nexus: "Re: Administrivia: List Announcement"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: vuln-dev@securityfocus.com Date: Tue, 13 May 2003 14:23:53 -0700
> >
> > strncpy(buf2, p2, SIZE);
>
> Off-by-one. Third arg should be SIZE-1 to leave room for the terminating
> NULL. This error should lead to a heap based vulnerability when the
> memory is free()d.
>
Even if this is changed to:
strncpy(buf2, p2, SIZE - 1);
it is still not safe, because stnrcpy will not write the terminating NULL
character if p2 is of length SIZE - 1 or more. So this can leave the string
in buf2 unterminated. It should be:
strncpy(buf2, p2, SIZE); // or strncpy(buf2, p2, SIZE - 1), doesn't matter
buf2[SIZE - 1] = '\0';
Or better yet:
strlcpy(buf2, p2, SIZE);
Eric
- Previous message: Gustavo Scotti: "RE: Administrivia: List Announcement"
- In reply to: xenophi1e: "Re: Administrivia: List Announcement"
- Next in thread: Nexus: "Re: Administrivia: List Announcement"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
