1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
|
$NetBSD: patch-ad,v 1.3 2007/04/18 17:06:16 ghen Exp $
--- server.c.orig 2006-05-01 22:43:10.000000000 +0200
+++ server.c
@@ -210,7 +210,7 @@ if(SQLConnect(cnf->sqlhost,cnf->sqluser,
return(-1);
}
-GetPeerIp(s,ip,buff);
+GetPeerIp(s,ip,BLEN,buff,BLEN);
//
// We check if this IP is authorized to connect to us
@@ -265,21 +265,34 @@ while(1==1)
// Now, we are sure our buffer string length is no more than BLEN
// as all parameters are defined also as buffers with a BLEN size
// no buffer overflow is possible using strcpy .
+ // But what's the point. Protect it anyway.
//
if(strcmp(buff,"")==0) break;
if(strncmp(buff,"request=",8)==0)
- strcpy(request,buff+8);
+ {
+ strncpy(request,buff+8, sizeof(request)-1);
+ request[sizeof(request)-1] = '\0';
+ }
if(strncmp(buff,"sender=",7)==0)
- strcpy(sender,buff+7);
+ {
+ strncpy(sender,buff+7, sizeof(sender)-1);
+ sender[sizeof(sender)-1] = '\0';
+ }
if(strncmp(buff,"recipient=",10)==0)
- strcpy(recipient,buff+10);
+ {
+ strncpy(recipient,buff+10, sizeof(recipient)-1);
+ recipient[sizeof(recipient)-1] = '\0';
+ }
if(strncmp(buff,"client_address=",15)==0)
- strcpy(ip,buff+15);
+ {
+ strncpy(ip,buff+15,sizeof(ip)-1);
+ ip[sizeof(ip)-1] = '\0';
+ }
}
@@ -304,7 +317,11 @@ Quote(sender);
// Now, we can safely use, str** functions
//
-if(sender[0]==0) strcpy(sender,"void@void");
+if(sender[0]==0)
+ {
+ strncpy(sender,"void@void",sizeof(sender)-1);
+ sender[sizeof(sender)-1] = '\0';
+ }
if(strcmp(request,REQ)!=0 || recipient[0]==0 || ip[0]==0)
{
|
