- (djm) Security: fix off-by-one buffer overrun in fake-getnameinfo.c.

Report and fix from Pavel Kankovsky <peak@argo.troja.mff.cuni.cz>
2000-09-26 13:10:37 +11:00 · 2000-09-26 13:10:37 +11:00 · e772b684cc
parent b2033a41a1
commit e772b684cc
2 changed files with 8 additions and 6 deletions
--- a/4
+++ b/4
@ -1,6 +1,8 @@
 20000926
 - (djm) Update X11-askpass to 1.0.2 in RPM spec file
- - (djm) Define _REENTRANT
+ - (djm) Define _REENTRANT to pickup strtok_r() on HP/UX
+ - (djm) Security: fix off-by-one buffer overrun in fake-getnameinfo.c. 
+   Report and fix from Pavel Kankovsky <peak@argo.troja.mff.cuni.cz> 

 20000924
 - (djm) Merged cleanup patch from Mark Miller <markm@swoon.net>
--- a/fake-getnameinfo.c
+++ b/fake-getnameinfo.c
@ -25,15 +25,15 @@ int getnameinfo(const struct sockaddr *sa, size_t salen, char *host,
 		if (strlen(tmpserv) > servlen)
 			return EAI_MEMORY;
 		else
-			strcpy(serv, tmpserv);
+			strlcpy(serv, tmpserv, servlen);
 	}

 	if (host) {
 		if (flags & NI_NUMERICHOST) {
-			if (strlen(inet_ntoa(sin->sin_addr)) > hostlen)
+			if (strlen(inet_ntoa(sin->sin_addr)) >= hostlen)
 				return EAI_MEMORY;

-			strcpy(host, inet_ntoa(sin->sin_addr));
+			strlcpy(host, inet_ntoa(sin->sin_addr), hostlen);
 			return 0;
 		} else {
 			hp = gethostbyaddr((char *)&sin->sin_addr, 
@ -41,10 +41,10 @@ int getnameinfo(const struct sockaddr *sa, size_t salen, char *host,
 			if (hp == NULL)
 				return EAI_NODATA;
 			
-			if (strlen(hp->h_name) > hostlen)
+			if (strlen(hp->h_name) >= hostlen)
 				return EAI_MEMORY;

-			strcpy(host, hp->h_name);
+			strlcpy(host, hp->h_name, hostlen);
 			return 0;
 		}
 	}