41 lines
1.3 KiB
Diff
41 lines
1.3 KiB
Diff
|
From 654ea5fae25f0863d958e3ecd0bc0672603e0b4c Mon Sep 17 00:00:00 2001
|
||
|
|
From: Andreas Schneider <asn@samba.org>
|
||
|
|
Date: Fri, 10 Jan 2014 11:15:43 +0100
|
||
|
|
Subject: [PATCH] Fix crash with crafted ini files.
|
||
|
|
|
||
|
|
If the key or value is bigger than 1024 we will end up in a buffer
|
||
|
|
overflow. The overflow is caught by _FORTIFY_SOURCE, so it's definitely
|
||
|
|
DoS-only. Curiously, because of ample space in the stack frame, it does
|
||
|
|
not result in a crash without _FORTIFY_SOURCE in all cases.
|
||
|
|
|
||
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||
|
|
---
|
||
|
|
src/iniparser.c | 4 ++--
|
||
|
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||
|
|
|
||
|
|
diff --git a/src/iniparser.c b/src/iniparser.c
|
||
|
|
index 4430032..18dbbbe 100644
|
||
|
|
--- a/src/iniparser.c
|
||
|
|
+++ b/src/iniparser.c
|
||
|
|
@@ -633,7 +633,7 @@ dictionary * iniparser_load(const char * ininame)
|
||
|
|
char line [ASCIILINESZ+1] ;
|
||
|
|
char section [ASCIILINESZ+1] ;
|
||
|
|
char key [ASCIILINESZ+1] ;
|
||
|
|
- char tmp [ASCIILINESZ+1] ;
|
||
|
|
+ char tmp [(ASCIILINESZ * 2) + 1] ;
|
||
|
|
char val [ASCIILINESZ+1] ;
|
||
|
|
|
||
|
|
int last=0 ;
|
||
|
|
@@ -699,7 +699,7 @@ dictionary * iniparser_load(const char * ininame)
|
||
|
|
break ;
|
||
|
|
|
||
|
|
case LINE_VALUE:
|
||
|
|
- sprintf(tmp, "%s:%s", section, key);
|
||
|
|
+ snprintf(tmp, sizeof(tmp), "%s:%s", section, key);
|
||
|
|
errs = dictionary_set(dict, tmp, val) ;
|
||
|
|
break ;
|
||
|
|
|
||
|
|
--
|
||
|
|
1.8.4.2
|
||
|
|
|