[sane-devel] fix for possible buffer overflows
Johannes Meixner
jsmeix at suse.de
Thu Nov 9 15:05:38 CET 2006
Hello,
sane-backends-1.0.18:
Here a fix for possible buffer overflows:
--------------------------------------------------------------------
--- backend/as6e.c.orig 2004-10-03 16:21:45.000000000 +0200
+++ backend/as6e.c 2006-10-27 12:52:54.000000000 +0200
@@ -811,9 +811,11 @@ check_for_driver (const char *devname)
dir[count - offset] = path[count];
count++;
}
- strncpy (fullname, dir, NAMESIZE);
- strncat (fullname, "/", NAMESIZE);
- strncat (fullname, devname, NAMESIZE);
+ /* use sizeof(fullname)-1 to make sure there is at least one padded
null byte */
+ strncpy (fullname, dir, sizeof(fullname)-1);
+ /* take into account that fullname already contains non-null bytes */
+ strncat (fullname, "/", sizeof(fullname)-strlen(fullname)-1);
+ strncat (fullname, devname, sizeof(fullname)-strlen(fullname)-1);
if (!stat (fullname, &statbuf))
{
modes = statbuf.st_mode;
--------------------------------------------------------------------
Background information:
Anything looking like
strncat(dest, src, sizeof(dest))
is wrong and might overflow the dest buffer depending on what
is in dest before.
The fix is to care about what is in dest before and to leave
space for the terminating null byte:
strncat(dest, src, sizeof(dest) - strlen(dest) - 1)
A different but similar issue is
strncpy(dest, src, sizeof(dest))
because if sizeof(src) >= sizeof(dest) there is no overflow of dest
but there is no terminating null byte in dest and the next function
which reads dest may read too much characters which may overflow
another buffer.
Kind Regards
Johannes Meixner
--
SUSE LINUX Products GmbH, Maxfeldstrasse 5 Mail: jsmeix at suse.de
90409 Nuernberg, Germany WWW: http://www.suse.de/
More information about the sane-devel
mailing list