liuzhe02 / shellinabox

Automatically exported from code.google.com/p/shellinabox
Other
0 stars 0 forks source link

Missing null termination in httpGetURL, urlGetURL #160

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
The strncat() calls in httpGetURL and urlGetURL do not ensure that long strings 
are null terminated.  This patch corrects that by using calloc instead of 
malloc.

(This probably isn’t currently exploitable because :port can’t be 25 
characters long, but should be fixed anyway.)

Original issue reported on code.google.com by andersk@mit.edu on 12 Jan 2012 at 5:14

Attachments:

GoogleCodeExporter commented 8 years ago
strncat() always appends a null byte according to:
http://pubs.opengroup.org/onlinepubs/009604599/functions/strncat.html

I am unsure why this change is necessary. Can you clarify?

Original comment by Jayschwa on 18 Jan 2012 at 5:46

GoogleCodeExporter commented 8 years ago
Yeah, you’re right, you can ignore this patch.

Original comment by andersk@mit.edu on 18 Jan 2012 at 5:50

GoogleCodeExporter commented 8 years ago
How about the size parameter? Is there a potential for overflow, as was the 
case in your #159?

Original comment by Jayschwa on 18 Jan 2012 at 5:57