Re: Buffer overflow in "lpr"
Warner Losh (imp@VILLAGE.ORG)
Tue, 08 Jul 1997 08:31:30 -0600
In message <31DBF6DD.1A0E@redrose.net> a42n8k9 writes:
: If I'm not mistaken this should show if a vulnerability exists.
...
: static char *linked(register char *file) {
: register char *cp;
: static char buf[BUFSIZ];
: .
: .
: .
: strcat(buf, "/");
: -------------> strcat(buf, file);
: .
: .
: .
: }
:
: Perhaps a fix would be to use the line "strncat(buf, file, BUFSIZ)"
: but that would stop
: lpr from processing a file with a name greater than BUFSIZ characters.
strncat wouldn't do what you wanted in this case. It would append at
most BUFSIZ characters, rather than at most BUFSIZE-strlen(buf)
characters. Also, you need to '\0' terminate the buf after this
because str*cat doesn't do that for you.
Warner