Bug#805519: wmifs: Buffer overflow on startup. Process crashes.
anomie at users.sourceforge.net
anomie at users.sourceforge.net
Tue Apr 19 11:42:26 UTC 2016
This recently started happening to me locally. In my case, at least, it
turns out to be due to wmifs blindly assuming all interface names are 8
bytes or shorter (including the trailing nul). Looks like IFNAMSIZ has
been 16 for some time now.
-------------- next part --------------
--- wmifs.c.orig 2016-04-19 07:34:59.873085155 -0400
+++ wmifs.c 2016-04-19 07:33:11.634910715 -0400
@@ -247,6 +247,7 @@
/* the size of the buffer read from /proc/net/ */
#define BUFFER_SIZE 512
+
/**********************/
/* External Variables */
/**********************/
@@ -317,7 +318,7 @@
switch (arg[1]) {
case 'c' :
if (argc > i+1) {
- strcpy(color, argv[i+1]);
+ strncpy(color, argv[i+1], sizeof(color));
i++;
}
break;
@@ -392,7 +393,7 @@
typedef struct {
- char name[8];
+ char name[IFNAMSIZ];
int his[55][2];
long istatlast;
long ostatlast;
@@ -478,7 +479,7 @@
fprintf(stderr, "Unknown $HOME directory, please check your environment\n");
return;
}
- strcpy(temp, p);
+ strncpy(temp, p, BUFFER_SIZE - 10);
strcat(temp, "/.wmifsrc");
parse_rcfile(temp, wmifs_keys);
@@ -852,7 +853,7 @@
int i = 0, j;
int k;
int devsfound = 0;
- char foundbuffer[MAX_STAT_DEVICES][8];
+ char foundbuffer[MAX_STAT_DEVICES][IFNAMSIZ];
for (i = 0; i < MAX_STAT_DEVICES; i++)
foundbuffer[i][0] = 0;
@@ -890,7 +891,7 @@
skip it! */
if (strcmp(p, "lo") || (active_interface && !strcmp(active_interface, "lo"))) {
- strcpy(foundbuffer[devsfound], p);
+ strncpy(foundbuffer[devsfound], p, IFNAMSIZ);
devsfound++;
}
if (devsfound >= MAX_STAT_DEVICES)
@@ -930,7 +931,7 @@
for (j = 0; j < MAX_STAT_DEVICES; j++) {
if (foundbuffer[j][0]) {
- strcpy(stat_devices[i].name, foundbuffer[j]);
+ strncpy(stat_devices[i].name, foundbuffer[j], IFNAMSIZ);
for (k = 0; k < 48; k++) {
stat_devices[i].his[k][0] = 0;
@@ -948,7 +949,7 @@
break;
}
if (!k) {
- strcpy(stat_devices[i].name, active_interface);
+ strncpy(stat_devices[i].name, active_interface, IFNAMSIZ);
for (k = 0; k < 48; k++) {
stat_devices[i].his[k][0] = 0;
stat_devices[i].his[k][1] = 0;
More information about the Pkg-wmaker-devel
mailing list