Re: cdp buffer overflow vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: cdp buffer overflow vulnerability
From: Vade 79 <v9@xxxxxxxxxxxxxxxxxxxx>
Date: 31 Mar 2004 21:45:04 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

In-Reply-To: <20040331161611.75451.qmail@xxxxxxxxxxxxxxxxxxxxxxxxxxx>

for the patch you provided you should use sizeof(buffer), not strlen(buffer) 
(or 200) to limit the amount written to buffer[].

>--- songname.patch ---
>
>--- cdp.c       2004-03-31 15:48:55.000000000 +0100
>+++ cdp.1.c     2004-03-31 15:44:35.000000000 +0100
>@@ -154,7 +154,7 @@
>     for  ( ind = 0; ind < cdStatus.thiscd.ntracks;
>ind++ ) {
>         trk = &cdStatus.thiscd.trk[ ind ];
>         if  ( trk->songname != NULL ) {
>-            sprintf( buffer, "%s", trk->songname );
>+            snprintf( buffer, strlen(buffer), "%s",
>trk->songname );
>         } else
>             buffer[ 0 ] = 0;
>
>
>--- eof ---

Prev by Date: IPv4 fragmentation --> The Rose Attack
Next by Date: Bugfinder Being Indicted As Criminal ("Counterfeiter") in France
Previous by thread: RE: cdp buffer overflow vulnerability
Next by thread: [CLA-2004:833] Conectiva Security Announcement - mc
Index(es):
- Date
- Thread