Date: Tue, 29 Aug 2000 14:13:33 +0300 (EEST) From: netch@carrier.kiev.ua (Valentin Nechayev) To: Kris Kennaway <kris@FreeBSD.ORG>, freebsd-audit@FreeBSD.ORG Subject: Re: ftp(1) patch Message-ID: <200008291113.OFF57814@burka.carrier.kiev.ua> In-Reply-To: <Pine.BSF.4.21.0008042101550.64027-100000@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Kris Kennaway wrote:
KK> Index: cmds.c
KK> ===================================================================
KK> RCS file: /home/ncvs/src/usr.bin/ftp/cmds.c,v
KK> retrieving revision 1.18
KK> diff -u -r1.18 cmds.c
KK> --- cmds.c 2000/06/24 15:34:30 1.18
KK> +++ cmds.c 2000/08/05 03:52:38
KK> @@ -125,7 +125,7 @@
KK> else
KK> comret = command("TYPE %s", p->t_mode);
KK> if (comret == COMPLETE) {
KK> - (void)strcpy(typename, p->t_name);
KK> + (void)strlcpy(typename, p->t_name, sizeof(typename));
In all these fixes, do you prove that resulting string cannot be cut?
strlcpy() provides only buffer nonoevrflowing, but not correctness of
result in buffer.
Consider change strlcpy in these fixes to:
size_t checked_strcopy( char* To, const char* From, size_t Size )
{
register size_t Result = strlcpy( To, From, Size );
if( Result >= Size )
errx( EX_DATAERR, "too long string" );
return Result;
}
Also, `linefull' variable is set, but is not cheched AFAIS elsewhere.
/netch
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200008291113.OFF57814>