potential buffer overflow in auphone.c
Network transparent, client/server audio transport system
Brought to you by:
jon13
Hi, I found some buffer overflow vulnerability in nas-1.9.4.
Below line is code at clients/audio/auphone/auphone.c:360,
360 sprintf(buf, "%s %s %s %s %d %d 1", BUSY, VERSION, (char *) getenv("USER"), server, flow, i);
Since the length of buf is 100 and there is no length check, if a malicious attacker puts a large string to 'USER' environment variable, it can cause stack buffer overflow, which leads to buggy behavior.
Fixed in current master.