diff options
| author | Ralf Baechle <ralf@linux-mips.org> | 2017-07-26 11:54:31 +0200 |
|---|---|---|
| committer | Ralf Baechle <ralf@linux-mips.org> | 2017-07-26 11:57:18 +0200 |
| commit | be52635f543d1b2540bf30e27f7561c441a1974e (patch) | |
| tree | 323c06e56a982307b585197b33d324525c66a629 /call/call.c | |
| parent | 6553ae600526c04b7340c54aa1daf6a48379ea93 (diff) | |
call: Fix possible buffer overflow.
When downloading a file with a very long filename the 80 byte buffer used
by start_ab_download() might overflow. Increase the buffer to a sufficient
size and switch to using snprintf for double safety.
This also fixes the following warnings:
gcc -DHAVE_CONFIG_H -I. -I.. -g -O2 -Wall -MT call.o -MD -MP -MF .deps/call.Tpo -c -o call.o call.c
call.c: In function ‘cmd_call’:
call.c:1008:33: warning: ‘%s’ directive writing up to 254 bytes into a region of size 62 [-Wformat-overflow=]
sprintf(s, "filename : %s", gp->file_name);
^~
call.c:1008:3: note: ‘sprintf’ output between 19 and 273 bytes into a destination of size 80
sprintf(s, "filename : %s", gp->file_name);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
call.c:1022:30: warning: ‘%s’ directive writing up to 254 bytes into a region of size 65 [-Wformat-overflow=]
sprintf(s, "Unable to open %s", gp->file_name);
^~
call.c:1022:3: note: ‘sprintf’ output between 16 and 270 bytes into a destination of size 80
sprintf(s, "Unable to open %s", gp->file_name);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Diffstat (limited to 'call/call.c')
| -rw-r--r-- | call/call.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/call/call.c b/call/call.c index 172f491..4c49cd4 100644 --- a/call/call.c +++ b/call/call.c @@ -910,7 +910,7 @@ static int start_ab_download(int mode, WINDOW ** swin, wint * wintab, int cnt; int date = 0; struct tm ft; - char s[80]; + char s[GP_FILENAME_SIZE + 18]; int time_set = 0; for (crcst = 2; crcst < parmsbytes - 1 && @@ -1005,7 +1005,7 @@ static int start_ab_download(int mode, WINDOW ** swin, wint * wintab, sprintf(s, "size of file : %lu", (unsigned long) gp->dwn_cnt); wrdstatw(*swin, s); - sprintf(s, "filename : %s", gp->file_name); + snprintf(s, sizeof(s), "filename : %s", gp->file_name); wrdstatw(*swin, s); sprintf(s, "last mod. date : %02i.%02i.%04i", ft.tm_mday, ft.tm_mon+1 , ft.tm_year + 1900); @@ -1019,7 +1019,7 @@ static int start_ab_download(int mode, WINDOW ** swin, wint * wintab, if ((gp->dwn_file = open(gp->file_name, O_RDWR | O_CREAT, 0666)) == -1) { - sprintf(s, "Unable to open %s", gp->file_name); + snprintf(s, sizeof(s), "Unable to open %s", gp->file_name); statline(mode, s); if (write(fd, "#ABORT#\r", 8) == -1) { perror("write"); |