Commit d075847c1ed4c7ce21dd22d97b3274f3a58d99ce
Fix possible buffer overrun in ipc:ipc_send()
CID 1357716 (#1 of 1): Copy into fixed size buffer (STRING_OVERFLOW)
fixed_size_dest: You might overrun the 8192-character fixed-size string
&pkg[len] by copying *data without checking the length.
parameter_as_source: Note: This defect has an elevated risk
because the source argument is a parameter of the current function.
Author: xaizek
Author date (UTC): 2016-07-15 17:47
Committer name: xaizek
Committer date (UTC): 2016-07-15 17:47
Parent(s): e5a0be7630bf9fe17efa8340b04665e8e2e792a0
Signing key: 99DC5E4DB05F6BE2
Tree: 6dff84d6757ec821c9f628e8d5c7b98ee679325b
| File src/ipc.c changed (mode: 100644) (index 1ca0e2772..f07fe9ab1) |
| ... |
... |
ipc_send(const char whom[], char *data[]) |
| 435 |
435 |
|
|
| 436 |
436 |
while(*data != NULL) |
while(*data != NULL) |
| 437 |
437 |
{ |
{ |
| 438 |
|
strcpy(pkg + len, *data); |
|
| 439 |
|
len += strlen(*data) + 1; |
|
| 440 |
|
data++; |
|
|
438 |
|
len += copy_str(pkg + len, sizeof(pkg) - len, *data); |
|
439 |
|
++data; |
| 441 |
440 |
} |
} |
| 442 |
441 |
pkg[len++] = '\0'; |
pkg[len++] = '\0'; |
| 443 |
442 |
|
|
| File src/utils/str.c changed (mode: 100644) (index 2cc8f808c..e766e76a6) |
| ... |
... |
has_uppercase_letters(const char str[]) |
| 825 |
825 |
size_t |
size_t |
| 826 |
826 |
copy_str(char dst[], size_t dst_len, const char src[]) |
copy_str(char dst[], size_t dst_len, const char src[]) |
| 827 |
827 |
{ |
{ |
| 828 |
|
/* XXX: shouldn't we return "strlen(src)" instead "0U"? */ |
|
|
828 |
|
/* XXX: shouldn't we return "strlen(src)" instead of "0U"? */ |
| 829 |
829 |
return (dst == src) ? 0U : copy_substr(dst, dst_len, src, '\0'); |
return (dst == src) ? 0U : copy_substr(dst, dst_len, src, '\0'); |
| 830 |
830 |
} |
} |
| 831 |
831 |
|
|