Menu
▾
▴
#1 Buffer overflow
Hi,
I've found bug mentioned above in file: cache.c
The following fragment of code is located in affected file
on two places.
if((len+1) > MAXUSERNAME) {
log(L_ERR, "HASH: Username too long in line: %s",
buffer);
}
strncpy(username, buffer, len); /* BUFFER OVERFLOW
HERE */
username[len] = '\0';
The proposed change is placing
len = MAXUSERNAME - 1;
to the enbraced block such as:
if((len+1) > MAXUSERNAME) {
log(L_ERR, "HASH: Username too long in line: %s",
buffer);
len = MAXUSERNAME - 1;
}
The less important issue is that the both messages
aren't same but similar (they have different number of
spaces). This inconsistency may caused problems
during parsing of log file.
Regards David.
