#201 Potential Buffer overflow found by gcc 4.7

closed-fixed
nobody
5
2012-04-12
2012-04-11
Greg
No

The below code adjusts the starting location of a snprintf as a string is built, but not the max. length of the string.

--- sleuthkit-3.2.3.orig/tsk3/fs/ext2fs.c
+++ sleuthkit-3.2.3/tsk3/fs/ext2fs.c
@@ -1519,23 +1519,23 @@ ext2fs_make_acl_str(char *str, int len,
int i = 0;

if (perm & EXT2_PACL_PERM_READ) {
- snprintf(&str[i], len - 1, "Read");
+ snprintf(&str[i], len - i - 1, "Read");
i += 4;
}
if (perm & EXT2_PACL_PERM_WRITE) {
if (i) {
- snprintf(&str[i], len - 1, ", ");
+ snprintf(&str[i], len - i - 1, ", ");
i += 2;
}
- snprintf(&str[i], len - 1, "Write");
+ snprintf(&str[i], len - i - 1, "Write");
i += 5;
}
if (perm & EXT2_PACL_PERM_EXEC) {
if (i) {
- snprintf(&str[i], len - 1, ", ");
+ snprintf(&str[i], len - i - 1, ", ");
i += 2;
}
- snprintf(&str[i], len - 1, "Execute");
+ snprintf(&str[i], len - i - 1, "Execute");
i += 7;
}
}

Discussion

  • Brian Carrier
    Brian Carrier
    2012-04-12

    • status: open --> closed-fixed
     
  • Brian Carrier
    Brian Carrier
    2012-04-12

    Fixed on master on github.

    [master 5648cc7] Fixed issue 3516866 of Ext2 sprintfs reported by gregfreemyer
    1 files changed, 4 insertions(+), 4 deletions(-)