7d717a51ff
Mon Sep 06 2004 Radek Vokal <rvokal@redhat.com> 2.6.9-2
- fixed possible buffer owerflow, path by Steve Grubb
<linux_4ever@yahoo.com>
55 lines
1.3 KiB
Diff
55 lines
1.3 KiB
Diff
--- iproute2-2.6.9/misc/nstat.c.bound 2004-08-31 14:32:14.000000000 -0400
|
|
+++ iproute2-2.6.9/misc/nstat.c 2004-09-05 10:32:26.000000000 -0400
|
|
@@ -121,14 +121,16 @@
|
|
int nr;
|
|
unsigned long long val;
|
|
double rate;
|
|
- char idbuf[256];
|
|
+ char idbuf[sizeof(buf)];
|
|
if (buf[0] == '#') {
|
|
buf[strlen(buf)-1] = 0;
|
|
if (info_source[0] && strcmp(info_source, buf+1))
|
|
source_mismatch = 1;
|
|
- strncpy(info_source, buf+1, sizeof(info_source)-1);
|
|
+ info_source[0] = 0;
|
|
+ strncat(info_source, buf+1, sizeof(info_source)-1);
|
|
continue;
|
|
}
|
|
+ /* idbuf is as big as buf, so this is safe */
|
|
nr = sscanf(buf, "%s%llu%lg", idbuf, &val, &rate);
|
|
if (nr < 2)
|
|
abort();
|
|
@@ -162,7 +164,7 @@
|
|
struct nstat_ent *n;
|
|
|
|
while (fgets(buf, sizeof(buf), fp) != NULL) {
|
|
- char idbuf[256];
|
|
+ char idbuf[sizeof(buf)];
|
|
int off;
|
|
char *p;
|
|
|
|
@@ -170,8 +172,9 @@
|
|
if (!p)
|
|
abort();
|
|
*p = 0;
|
|
- strcpy(idbuf, buf);
|
|
- off = strlen(idbuf);
|
|
+ idbuf[0] = 0;
|
|
+ strncat(idbuf, buf, sizeof(idbuf) -1);
|
|
+ off = p - buf;
|
|
p += 2;
|
|
|
|
while (*p) {
|
|
@@ -180,7 +183,10 @@
|
|
*next++ = 0;
|
|
else if ((next = strchr(p, '\n')) != NULL)
|
|
*next++ = 0;
|
|
- strcpy(idbuf+off, p);
|
|
+ if (off < sizeof(idbuf)) {
|
|
+ idbuf[off] = 0;
|
|
+ strncat(idbuf, p, sizeof(idbuf) - off - 1);
|
|
+ }
|
|
n = malloc(sizeof(*n));
|
|
if (!n)
|
|
abort();
|