Bugtraq mailing list archives

Re: cdp buffer overflow vulnerability

From: Vade 79 <v9 () fakehalo deadpig org>
Date: 31 Mar 2004 21:45:04 -0000

In-Reply-To: <20040331161611.75451.qmail () web25104 mail ukl yahoo com>

for the patch you provided you should use sizeof(buffer), not strlen(buffer) (or 200) to limit the amount written to 
buffer[].

--- songname.patch ---

--- cdp.c       2004-03-31 15:48:55.000000000 +0100
+++ cdp.1.c     2004-03-31 15:44:35.000000000 +0100
@@ -154,7 +154,7 @@
    for  ( ind = 0; ind < cdStatus.thiscd.ntracks;
ind++ ) {
        trk = &cdStatus.thiscd.trk[ ind ];
        if  ( trk->songname != NULL ) {
-            sprintf( buffer, "%s", trk->songname );
+            snprintf( buffer, strlen(buffer), "%s",
trk->songname );
        } else
            buffer[ 0 ] = 0;


--- eof ---

Current thread:

cdp buffer overflow vulnerability Shaun Colley (Mar 31)
- <Possible follow-ups>
- Re: cdp buffer overflow vulnerability Vade 79 (Mar 31)