[34352] in bugtraq
Re: cdp buffer overflow vulnerability
daemon@ATHENA.MIT.EDU (Vade 79)
Wed Mar 31 17:41:11 2004
Date: 31 Mar 2004 21:45:04 -0000
Message-ID: <20040331214504.1123.qmail@www.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: Vade 79 <v9@fakehalo.deadpig.org>
To: bugtraq@securityfocus.com
In-Reply-To: <20040331161611.75451.qmail@web25104.mail.ukl.yahoo.com>
for the patch you provided you should use sizeof(buffer), not strlen(buffer) (or 200) to limit the amount written to buffer[].
>--- songname.patch ---
>
>--- cdp.c 2004-03-31 15:48:55.000000000 +0100
>+++ cdp.1.c 2004-03-31 15:44:35.000000000 +0100
>@@ -154,7 +154,7 @@
> for ( ind = 0; ind < cdStatus.thiscd.ntracks;
>ind++ ) {
> trk = &cdStatus.thiscd.trk[ ind ];
> if ( trk->songname != NULL ) {
>- sprintf( buffer, "%s", trk->songname );
>+ snprintf( buffer, strlen(buffer), "%s",
>trk->songname );
> } else
> buffer[ 0 ] = 0;
>
>
>--- eof ---
