<<< Date Index >>>     <<< Thread Index >>>

Re: cdp buffer overflow vulnerability



In-Reply-To: <20040331161611.75451.qmail@xxxxxxxxxxxxxxxxxxxxxxxxxxx>

for the patch you provided you should use sizeof(buffer), not strlen(buffer) 
(or 200) to limit the amount written to buffer[].

>--- songname.patch ---
>
>--- cdp.c       2004-03-31 15:48:55.000000000 +0100
>+++ cdp.1.c     2004-03-31 15:44:35.000000000 +0100
>@@ -154,7 +154,7 @@
>     for  ( ind = 0; ind < cdStatus.thiscd.ntracks;
>ind++ ) {
>         trk = &cdStatus.thiscd.trk[ ind ];
>         if  ( trk->songname != NULL ) {
>-            sprintf( buffer, "%s", trk->songname );
>+            snprintf( buffer, strlen(buffer), "%s",
>trk->songname );
>         } else
>             buffer[ 0 ] = 0;
>
>
>--- eof ---