Potential Buffer overflow found by gcc 4.7
Brought to you by:
carrier
Menu
▾
▴
#201 Potential Buffer overflow found by gcc 4.7
The below code adjusts the starting location of a snprintf as a string is built, but not the max. length of the string.
--- sleuthkit-3.2.3.orig/tsk3/fs/ext2fs.c
+++ sleuthkit-3.2.3/tsk3/fs/ext2fs.c
@@ -1519,23 +1519,23 @@ ext2fs_make_acl_str(char *str, int len,
int i = 0;
if (perm & EXT2_PACL_PERM_READ) {
- snprintf(&str[i], len - 1, "Read");
+ snprintf(&str[i], len - i - 1, "Read");
i += 4;
}
if (perm & EXT2_PACL_PERM_WRITE) {
if (i) {
- snprintf(&str[i], len - 1, ", ");
+ snprintf(&str[i], len - i - 1, ", ");
i += 2;
}
- snprintf(&str[i], len - 1, "Write");
+ snprintf(&str[i], len - i - 1, "Write");
i += 5;
}
if (perm & EXT2_PACL_PERM_EXEC) {
if (i) {
- snprintf(&str[i], len - 1, ", ");
+ snprintf(&str[i], len - i - 1, ", ");
i += 2;
}
- snprintf(&str[i], len - 1, "Execute");
+ snprintf(&str[i], len - i - 1, "Execute");
i += 7;
}
}
Fixed on master on github.
[master 5648cc7] Fixed issue 3516866 of Ext2 sprintfs reported by gregfreemyer
1 files changed, 4 insertions(+), 4 deletions(-)