[B.A.T.M.A.N.] [PATCH 01/11] batctl: Fix possible buffer overflow when using strncat

public inbox for b.a.t.m.a.n@lists.open-mesh.org
 help / color / mirror / Atom feed

From: Sven Eckelmann <sven@narfation.org>
To: b.a.t.m.a.n@lists.open-mesh.org
Cc: Sven Eckelmann <sven@narfation.org>
Subject: [B.A.T.M.A.N.] [PATCH 01/11] batctl: Fix possible buffer overflow when using strncat
Date: Tue, 10 Sep 2013 23:11:52 +0200	[thread overview]
Message-ID: <1378847522-13776-2-git-send-email-sven@narfation.org> (raw)
In-Reply-To: <1378847522-13776-1-git-send-email-sven@narfation.org>

The length field (n) of strncat is used to specify the length of the buffer
without the \0 delimiter. strncat will add it even when it will write it to the
limit of n bytes was written.

Signed-off-by: Sven Eckelmann <sven@narfation.org>
---
 bat-hosts.c | 2 +-
 functions.c | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/bat-hosts.c b/bat-hosts.c
index 04e7a9b..f0adb9c 100644
--- a/bat-hosts.c
+++ b/bat-hosts.c
@@ -194,7 +194,7 @@ void bat_hosts_init(int read_opt)
 
 			strncpy(confdir, homedir, CONF_DIR_LEN);
 			confdir[CONF_DIR_LEN - 1] = '\0';
-			strncat(confdir, &bat_hosts_path[i][1], CONF_DIR_LEN - strlen(confdir));
+			strncat(confdir, &bat_hosts_path[i][1], CONF_DIR_LEN - strlen(confdir) - 1);
 		} else {
 			strncpy(confdir, bat_hosts_path[i], CONF_DIR_LEN);
 			confdir[CONF_DIR_LEN - 1] = '\0';
diff --git a/functions.c b/functions.c
index cc05a48..0359287 100644
--- a/functions.c
+++ b/functions.c
@@ -180,7 +180,7 @@ int read_file(char *dir, char *fname, int read_opt,
 
 	strncpy(full_path, dir, strlen(dir));
 	full_path[strlen(dir)] = '\0';
-	strncat(full_path, fname, sizeof(full_path) - strlen(full_path));
+	strncat(full_path, fname, sizeof(full_path) - strlen(full_path) - 1);
 
 open:
 	line = 0;
@@ -305,7 +305,7 @@ int write_file(char *dir, char *fname, char *arg1, char *arg2)
 
 	strncpy(full_path, dir, strlen(dir));
 	full_path[strlen(dir)] = '\0';
-	strncat(full_path, fname, sizeof(full_path) - strlen(full_path));
+	strncat(full_path, fname, sizeof(full_path) - strlen(full_path) - 1);
 
 	fd = open(full_path, O_WRONLY);
 
-- 
1.8.4.rc3

next prev parent reply	other threads:[~2013-09-10 21:11 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-09-10 21:11 [B.A.T.M.A.N.] batctl: Debian patches for 2013.3.0-2 Sven Eckelmann
2013-09-10 21:11 ` Sven Eckelmann [this message]
2013-09-11 10:49   ` [B.A.T.M.A.N.] [PATCH 01/11] batctl: Fix possible buffer overflow when using strncat Marek Lindner
2013-09-10 21:11 ` [B.A.T.M.A.N.] [PATCH 02/11] batctl: Fix inconsistent use of _GNU_SOURCE Sven Eckelmann
2013-09-11 10:53   ` Marek Lindner
2013-09-10 21:11 ` [B.A.T.M.A.N.] [PATCH 03/11] batctl: Avoid assigning const buffer to non-const pointer Sven Eckelmann
2013-09-11 10:56   ` Marek Lindner
2013-09-10 21:11 ` [B.A.T.M.A.N.] [PATCH 04/11] batctl: Mark all local functions as static Sven Eckelmann
2013-09-11 10:58   ` Marek Lindner
2013-09-10 21:11 ` [B.A.T.M.A.N.] [PATCH 05/11] batctl: Add include guards to avoid redundant declarations or include loops Sven Eckelmann
2013-09-11 11:33   ` Marek Lindner
2013-09-10 21:11 ` [B.A.T.M.A.N.] [PATCH 06/11] batctl: Remove legacy types u64 and caddr_t Sven Eckelmann
2013-09-13 10:51   ` Marek Lindner
2013-09-10 21:11 ` [B.A.T.M.A.N.] [PATCH 07/11] batctl: Add missing includes and remove unused includes Sven Eckelmann
2013-09-10 21:11 ` [B.A.T.M.A.N.] [PATCH 08/11] batctl: Fix error handling jump in interface when batadv not loaded Sven Eckelmann
2013-09-13 10:58   ` Marek Lindner
2013-09-10 21:12 ` [B.A.T.M.A.N.] [PATCH 09/11] batctl: Fix type of new neighbor buffer in _seqno_trace_neigh_add Sven Eckelmann
2013-09-13 11:22   ` Marek Lindner
2013-09-10 21:12 ` [B.A.T.M.A.N.] [PATCH 10/11] batctl: Don't fail rebuild when header is removed Sven Eckelmann
2013-09-13 11:24   ` Marek Lindner
2013-09-10 21:12 ` [B.A.T.M.A.N.] [PATCH 11/11] batctl: Don't use hyphen for parameter in manpage Sven Eckelmann
2013-09-13 11:26   ` Marek Lindner

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:04e7a9b dfblob:f0adb9c dfblob:cc05a48 dfblob:0359287 )
 OR (
bs:"[B.A.T.M.A.N.] [PATCH 01/11] batctl: Fix possible buffer overflow when using strncat" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1378847522-13776-2-git-send-email-sven@narfation.org \
    --to=sven@narfation.org \
    --cc=b.a.t.m.a.n@lists.open-mesh.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox