[01/11] batctl: Fix possible buffer overflow when using strncat
Commit Message
The length field (n) of strncat is used to specify the length of the buffer
without the \0 delimiter. strncat will add it even when it will write it to the
limit of n bytes was written.
Signed-off-by: Sven Eckelmann <sven@narfation.org>
---
bat-hosts.c | 2 +-
functions.c | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
Comments
On Tuesday, September 10, 2013 11:11:52 PM Sven Eckelmann wrote:
> The length field (n) of strncat is used to specify the length of the buffer
> without the \0 delimiter. strncat will add it even when it will write it to
> the limit of n bytes was written.
>
> Signed-off-by: Sven Eckelmann <sven@narfation.org>
> ---
> bat-hosts.c | 2 +-
> functions.c | 4 ++--
> 2 files changed, 3 insertions(+), 3 deletions(-)
Applied in revision f1e262c.
Thanks,
Marek
@@ -194,7 +194,7 @@ void bat_hosts_init(int read_opt)
strncpy(confdir, homedir, CONF_DIR_LEN);
confdir[CONF_DIR_LEN - 1] = '\0';
- strncat(confdir, &bat_hosts_path[i][1], CONF_DIR_LEN - strlen(confdir));
+ strncat(confdir, &bat_hosts_path[i][1], CONF_DIR_LEN - strlen(confdir) - 1);
} else {
strncpy(confdir, bat_hosts_path[i], CONF_DIR_LEN);
confdir[CONF_DIR_LEN - 1] = '\0';
@@ -180,7 +180,7 @@ int read_file(char *dir, char *fname, int read_opt,
strncpy(full_path, dir, strlen(dir));
full_path[strlen(dir)] = '\0';
- strncat(full_path, fname, sizeof(full_path) - strlen(full_path));
+ strncat(full_path, fname, sizeof(full_path) - strlen(full_path) - 1);
open:
line = 0;
@@ -305,7 +305,7 @@ int write_file(char *dir, char *fname, char *arg1, char *arg2)
strncpy(full_path, dir, strlen(dir));
full_path[strlen(dir)] = '\0';
- strncat(full_path, fname, sizeof(full_path) - strlen(full_path));
+ strncat(full_path, fname, sizeof(full_path) - strlen(full_path) - 1);
fd = open(full_path, O_WRONLY);