From 27de2c769e20b0d056131442c5a2873a73f42bdc Mon Sep 17 00:00:00 2001 From: Ralf Baechle Date: Wed, 28 Jul 2021 12:54:11 +0200 Subject: listen: Fix potential buffer overflow. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sounds evil but would only be exploitable when getservbyport is accessing a database that's under an attacker's control. The /etc/services file shipping with Fedora 34 has entries of a maximum length of 15 characters so are just fine. Fixed by not copying the string returned by getservbyport - which also is faster. At that point it becomes possible to reduce the length of str[] to 6 bytes. Found by the following GCC 11 warning: gcc -DHAVE_CONFIG_H -I. -I.. -g -O2 -Wall -MT utils.o -MD -MP -MF .deps/utils.Tpo -c -o utils.o utils.c utils.c: In function ‘servname’: utils.c:124:17: warning: ‘strncpy’ specified bound 16 equals destination size [-Wstringop-truncation] 124 | strncpy(str, serv->s_name, 16); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Signed-off-by: Ralf Baechle --- listen/utils.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/listen/utils.c b/listen/utils.c index 4d99e10..f16f773 100644 --- a/listen/utils.c +++ b/listen/utils.c @@ -118,12 +118,12 @@ int initcolor(void) char *servname(int port, char *proto) { struct servent *serv; - static char str[16]; + static char str[6]; if ((serv = getservbyport(htons(port), proto))) - strncpy(str, serv->s_name, 16); + return serv->s_name; else - snprintf(str, 16, "%i", port); + snprintf(str, sizeof(str), "%i", port); return str; } -- cgit v1.2.3