Re: questions regarding libmimelib1 as seperate source package

[Russ Allbery <rra@debian.org>]

Jonas Meurer <jonas@freesources.org> writes:

> Unfortunately ron discovered a far worse issue. The way str[ln]cat()
> is used in mimelib makes it very error-prone to buffer overflows:
>
> #define SEND_BUFFER_SIZE  1024
> ...
> mSendBuffer = new char[SEND_BUFFER_SIZE];
> ...
> strlcpy(mSendBuffer, "PASS ", SEND_BUFFER_SIZE);
> strlcat(mSendBuffer, aPasswd, SEND_BUFFER_SIZE);
> strlcat(mSendBuffer, "\r\n", SEND_BUFFER_SIZE);
>
> this without any santising code for aPasswd causes mSendBuffer to be
> overflowable for at least strlen("PASS ") + strlen("\r\n").

That code is safe from a buffer overflow perspective using strlcpy and
strlcat, but may not end the buffer with \r\n.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>