~sircmpwn/gmni#41: 
Possible buffer overflows in download_resp

On line 77:

strncat(strncpy(&buf[0], path, sizeof(buf)), basename(url), sizeof(buf));

As stated in strncat (3):

If src contains n or more bytes, strncat() writes n+1 bytes to dest (n from src plus the terminating null byte). Therefore, the size of dest must be at least strlen(dest)+n+1

if strlen(basename) + strlen(path) + 1 > sizeof(buf), buffer overflow occurs.

On line 88:

n = BIO_read(resp.bio, buf, BUFSIZ);

It read at most BUFSIZ but sizeof(buf) is PATH_MAX (line 71).

It is very unlickely they will happend due to the current value of PATH_MAX on Linux.

--

Cédric Hannotier

Status
RESOLVED FIXED
Submitter
Cédric Hannotier
Assigned to
No-one
Submitted
7 months ago
Updated
5 months ago
Labels
No labels applied.

~sircmpwn 7 months ago

Send patch

~rwa 5 months ago

~sircmpwn REPORTED FIXED 5 months ago

Register here or Log in to comment, or comment via email.