From: William T. M. <wt...@du...> - 2002-09-29 20:38:53
Attachments:
sprintf.patch
|
Hi, While working with the Oscar prpl I came across a few places that used sprintf with a fixed-size buffer. I don't think this is a big deal because the untrusted data usually passes through the BOS server, which probably places restrictions on the lengths of screennames and the like. However, it doesn't appear that Gaim checks the lengths of incoming TLVs, and now that direct TCP connections to other clients are supported, I think it's important to handle any outside data carefully. The attached patch changes the sprintf()s to snprintf()s. Also, if this is not the best place for someone without CVS commit access to send these sorts of small patches, just let me know. -- Wil |
From: Luke S. <lsc...@gm...> - 2002-09-30 04:19:27
|
On Sun, Sep 29, 2002 at 04:38:54PM -0400, William T. Mahan wrote: > Hi, > > While working with the Oscar prpl I came across a few places that used > sprintf with a fixed-size buffer. I don't think this is a big deal > because the untrusted data usually passes through the BOS server, > which probably places restrictions on the lengths of screennames and > the like. > > However, it doesn't appear that Gaim checks the lengths of incoming > TLVs, and now that direct TCP connections to other clients are > supported, I think it's important to handle any outside data > carefully. The attached patch changes the sprintf()s to snprintf()s. > > Also, if this is not the best place for someone without CVS commit > access to send these sorts of small patches, just let me > know. sending patches here is fine, especially for bug fix patches. posting them to sourceforge though allows people to test patches that we might want to wait a while before committing, if, say, other things are happening to the body of code modified at the time. luke -- -This email is made of 100% recycled electrons. -If something can go wrong.... FIX IT! If it's Microsoft...delete it. -There are three ways to get something done: (1) Do it yourself. (2) Hire someone to do it for you. (3) Forbid your kids to do it. |