Hi all,
whilst tracking down bugs in a project, I noticed 2 buffer overruns in
b_sock.c. The space is correctly allocated, but the subsequent memcpy()
copies exactly 1 byte more than allocated. The following patch fixes
this. btw, is there a special reason for the explicit cast in the first
memcpy() ? One would assume that on any reasonable system h_name should
be of type char *, rendering the cast unneccessary. But then again, you
do get
weird systems ...
HTH,
Hannes
--
Hannes Reinecke <[EMAIL PROTECTED]>
Fluid Loading and Instrumentation Center Tel: (+44) 131 451 3149
Dept. of Civil & Offshore Engineering Fax: (+44) 131 451 3154
Heriot Watt University, Edinburgh EH14 4AS
--- crypto/bio/b_sock.c.orig Tue Aug 24 10:44:06 1999
+++ crypto/bio/b_sock.c Tue Aug 24 10:45:57 1999
@@ -282,20 +282,20 @@
j=strlen(a->h_name)+1;
if ((ret->h_name=Malloc(j)) == NULL) goto err;
- memcpy((char *)ret->h_name,a->h_name,j+1);
+ memcpy(ret->h_name,a->h_name,j);
for (i=0; a->h_aliases[i] != NULL; i++)
{
j=strlen(a->h_aliases[i])+1;
if ((ret->h_aliases[i]=Malloc(j)) == NULL) goto err;
- memcpy(ret->h_aliases[i],a->h_aliases[i],j+1);
+ memcpy(ret->h_aliases[i],a->h_aliases[i],j);
}
ret->h_length=a->h_length;
ret->h_addrtype=a->h_addrtype;
for (i=0; a->h_addr_list[i] != NULL; i++)
{
- if ((ret->h_addr_list[i]=Malloc(a->h_length)) == NULL)
- goto err;
- memcpy(ret->h_addr_list[i],a->h_addr_list[i],a->h_length);
+ j=strlen(a->h_addr_list[i])+1;
+ if ((ret->h_addr_list[i]=Malloc(j)) == NULL) goto err;
+ memcpy(ret->h_addr_list[i],a->h_addr_list[i],j);
}
if (0)
{
