Wrong size passed to strncat() leads to missing null termination or buffer overflow

ibmibmibm / shellinabox

Automatically exported from code.google.com/p/shellinabox

Other

0 stars 0 forks source link

Wrong size passed to strncat() leads to missing null termination or buffer overflow #159

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago

A few functions in launcher.c passed sizeof(buffer) to strncat, so long strings 
might not be null terminated.  Alternatively, if strlcat is available and 
strncat is defined in terms of strlcat, this actually causes a one-character 
buffer overflow.  This patch corrects the size to sizeof(buffer) - 1.

Original issue reported on code.google.com by andersk@mit.edu on 12 Jan 2012 at 5:11

Attachments:

0001-Fix-miscellaneous-strncat-buffer-overflows.patch

GoogleCodeExporter commented 9 years ago

Thank you for the patch.
https://github.com/jayschwa/shellinabox/commit/8f8938fd1477c63b79d5c17f19c9b2288
b7336f0

Original comment by Jayschwa on 18 Jan 2012 at 5:33

GoogleCodeExporter commented 9 years ago

Applied for 2.11.

Original comment by beewoo...@gmail.com on 31 Mar 2012 at 11:23

Changed state: Fixed