Re: questions regarding libmimelib1 as seperate source package
Jonas Meurer <jonas@freesources.org> writes:
> Unfortunately ron discovered a far worse issue. The way str[ln]cat()
> is used in mimelib makes it very error-prone to buffer overflows:
>
> #define SEND_BUFFER_SIZE 1024
> ...
> mSendBuffer = new char[SEND_BUFFER_SIZE];
> ...
> strlcpy(mSendBuffer, "PASS ", SEND_BUFFER_SIZE);
> strlcat(mSendBuffer, aPasswd, SEND_BUFFER_SIZE);
> strlcat(mSendBuffer, "\r\n", SEND_BUFFER_SIZE);
>
> this without any santising code for aPasswd causes mSendBuffer to be
> overflowable for at least strlen("PASS ") + strlen("\r\n").
That code is safe from a buffer overflow perspective using strlcpy and
strlcat, but may not end the buffer with \r\n.
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Reply to: