$NetBSD: patch-ad,v 1.2 2006/03/02 21:03:39 wiz Exp $ --- server.c.orig 2005-09-16 12:17:59.000000000 +0200 +++ server.c @@ -208,7 +208,7 @@ long ts; int pid; pid=getpid(); -GetPeerIp(s,ip,buff); +GetPeerIp(s,ip,BLEN,buff,BLEN); // // We check if this IP is authorized to connect to us @@ -261,21 +261,34 @@ while(1==1) // Now, we are sure our buffer string length is no more than BLEN // as all parameters are defined also as buffers with a BLEN size // no buffer overflow is possible using strcpy . + // But what's the point. Protect it anyway. // if(strcmp(buff,"")==0) break; if(strncmp(buff,"request=",8)==0) - strcpy(request,buff+8); + { + strncpy(request,buff+8, sizeof(request)-1); + request[sizeof(request)-1] = '\0'; + } if(strncmp(buff,"sender=",7)==0) - strcpy(sender,buff+7); + { + strncpy(sender,buff+7, sizeof(sender)-1); + sender[sizeof(sender)-1] = '\0'; + } if(strncmp(buff,"recipient=",10)==0) - strcpy(recipient,buff+10); + { + strncpy(recipient,buff+10, sizeof(recipient)-1); + recipient[sizeof(recipient)-1] = '\0'; + } if(strncmp(buff,"client_address=",15)==0) - strcpy(ip,buff+15); + { + strncpy(ip,buff+15,sizeof(ip)-1); + ip[sizeof(ip)-1] = '\0'; + } } @@ -300,7 +313,11 @@ Quote(sender); // Now, we can safely use, str** functions // -if(sender[0]==0) strcpy(sender,"void@void"); +if(sender[0]==0) + { + strncpy(sender,"void@void",sizeof(sender)-1); + sender[sizeof(sender)-1] = '\0'; + } if(strcmp(request,REQ)!=0 || recipient[0]==0 || ip[0]==0) {