Dangerous strcpy
Jerry James
james at xemacs.org
Wed Jun 21 20:00:35 EDT 2006
I tried out a "security checker" today that supposedly looks for
security-related properties of code. It mostly produced nonsense, but
it did find this: in sound.c, line 645, we do a strcpy. We are copying
into a stack buffer of fixed size (255 bytes). We are copying from
h->h_name, where h is a struct hostent * returned by gethostbyname().
Do we actually know that h->h_name must be 254 (+ 1 null terminator)
characters long or less? I don't see anything on the gethostbyname man
page that so indicates.
--
Jerry James, Assistant Professor james at xemacs.org
Computer Science Department http://www.cs.usu.edu/~jerry/
Utah State University
More information about the XEmacs-Beta
mailing list