diff options
author | Ralf Baechle <ralf@linux-mips.org> | 2021-07-28 12:54:11 +0200 |
---|---|---|
committer | Ralf Baechle <ralf@linux-mips.org> | 2021-07-28 12:54:11 +0200 |
commit | 27de2c769e20b0d056131442c5a2873a73f42bdc (patch) | |
tree | 5ae6be01cd8c468a3a499df26f0c49fb6aae85f6 | |
parent | f2f7b4dde15c553627a85e2d13f2612552994188 (diff) |
listen: Fix potential buffer overflow.
Sounds evil but would only be exploitable when getservbyport is accessing
a database that's under an attacker's control. The /etc/services file
shipping with Fedora 34 has entries of a maximum length of 15 characters
so are just fine.
Fixed by not copying the string returned by getservbyport - which also is
faster. At that point it becomes possible to reduce the length of str[]
to 6 bytes.
Found by the following GCC 11 warning:
gcc -DHAVE_CONFIG_H -I. -I.. -g -O2 -Wall -MT utils.o -MD -MP -MF .deps/utils.Tpo -c -o utils.o utils.c
utils.c: In function ‘servname’:
utils.c:124:17: warning: ‘strncpy’ specified bound 16 equals destination size [-Wstringop-truncation]
124 | strncpy(str, serv->s_name, 16);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
-rw-r--r-- | listen/utils.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/listen/utils.c b/listen/utils.c index 4d99e10..f16f773 100644 --- a/listen/utils.c +++ b/listen/utils.c @@ -118,12 +118,12 @@ int initcolor(void) char *servname(int port, char *proto) { struct servent *serv; - static char str[16]; + static char str[6]; if ((serv = getservbyport(htons(port), proto))) - strncpy(str, serv->s_name, 16); + return serv->s_name; else - snprintf(str, 16, "%i", port); + snprintf(str, sizeof(str), "%i", port); return str; } |