[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-coda
Subject:    [PATCH]: Fix overruns in codasrv main routine
From:       Neil Horman <nhorman () tuxdriver ! com>
Date:       2009-07-20 23:47:14
Message-ID: 20090720234714.GA13385 () hmsreliant ! think-freely ! org
[Download RAW message or body]

Hey, glibc just found this on fedora.  A stack overrun of a few bytes in the
sname variable in the coda server main routine.  Its 20 bytes long, and at least
one of the sprintfs writes at least 23 bytes to the buffer.  The patch below
fixes it.  I suppose switching to snprintf would be better, but the code seems
so unlikely to change further at this point, this just seemed a bit more
straightforward

Neil


Signed-off-by: Neil Horman <nhorman@tuxdriver.com>


 srv.cc |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/coda-src/vice/srv.cc b/coda-src/vice/srv.cc
index e0c5144..d75cc52 100644
--- a/coda-src/vice/srv.cc
+++ b/coda-src/vice/srv.cc
@@ -315,7 +315,7 @@ void zombie(int sig)
 
 int main(int argc, char *argv[])
 {
-    char    sname[20];
+    char    sname[32];
     int     i;
     struct stat buff;
     PROCESS serverPid, resPid, smonPid, resworkerPid;

[prev in list] [next in list] [prev in thread] [next in thread]