message.c
sigh buffer overflow in message_from
Showing
1 changed file
with
3 additions
and
3 deletions
| ... | @@ -249,7 +249,7 @@ message_from (message_t msg, char *buf, size_t len, size_t *pnwrite) | ... | @@ -249,7 +249,7 @@ message_from (message_t msg, char *buf, size_t len, size_t *pnwrite) |
| 249 | if (buf && len > 0) | 249 | if (buf && len > 0) |
| 250 | { | 250 | { |
| 251 | memcpy (buf, addr, n); | 251 | memcpy (buf, addr, n); |
| 252 | buf[n - 1] = '\0'; | 252 | buf[n] = '\0'; |
| 253 | } | 253 | } |
| 254 | free (addr); | 254 | free (addr); |
| 255 | free (from); | 255 | free (from); |
| ... | @@ -264,7 +264,7 @@ message_from (message_t msg, char *buf, size_t len, size_t *pnwrite) | ... | @@ -264,7 +264,7 @@ message_from (message_t msg, char *buf, size_t len, size_t *pnwrite) |
| 264 | if (buf && len > 0) | 264 | if (buf && len > 0) |
| 265 | { | 265 | { |
| 266 | memcpy (buf, "unknown", n); | 266 | memcpy (buf, "unknown", n); |
| 267 | buf [n - 1] = '\0'; | 267 | buf [n] = '\0'; |
| 268 | } | 268 | } |
| 269 | 269 | ||
| 270 | if (pnwrite) | 270 | if (pnwrite) |
| ... | @@ -311,7 +311,7 @@ message_received (message_t msg, char *buf, size_t len, size_t *pnwrite) | ... | @@ -311,7 +311,7 @@ message_received (message_t msg, char *buf, size_t len, size_t *pnwrite) |
| 311 | } | 311 | } |
| 312 | n = (n > len) ? len : n; | 312 | n = (n > len) ? len : n; |
| 313 | strncpy (buf, ctime (&t), n); | 313 | strncpy (buf, ctime (&t), n); |
| 314 | buf [n - 1] = '\0'; | 314 | buf [n] = '\0'; |
| 315 | if (pnwrite) | 315 | if (pnwrite) |
| 316 | *pnwrite = n; | 316 | *pnwrite = n; |
| 317 | return 0; | 317 | return 0; | ... | ... |
-
Please register or sign in to post a comment