- (djm) Security: fix off-by-one buffer overrun in fake-getnameinfo.c.
Report and fix from Pavel Kankovsky <peak@argo.troja.mff.cuni.cz>
diff --git a/fake-getnameinfo.c b/fake-getnameinfo.c
index 867cf90..7b00981 100644
--- a/fake-getnameinfo.c
+++ b/fake-getnameinfo.c
@@ -25,15 +25,15 @@
if (strlen(tmpserv) > servlen)
return EAI_MEMORY;
else
- strcpy(serv, tmpserv);
+ strlcpy(serv, tmpserv, servlen);
}
if (host) {
if (flags & NI_NUMERICHOST) {
- if (strlen(inet_ntoa(sin->sin_addr)) > hostlen)
+ if (strlen(inet_ntoa(sin->sin_addr)) >= hostlen)
return EAI_MEMORY;
- strcpy(host, inet_ntoa(sin->sin_addr));
+ strlcpy(host, inet_ntoa(sin->sin_addr), hostlen);
return 0;
} else {
hp = gethostbyaddr((char *)&sin->sin_addr,
@@ -41,10 +41,10 @@
if (hp == NULL)
return EAI_NODATA;
- if (strlen(hp->h_name) > hostlen)
+ if (strlen(hp->h_name) >= hostlen)
return EAI_MEMORY;
- strcpy(host, hp->h_name);
+ strlcpy(host, hp->h_name, hostlen);
return 0;
}
}