[PATCH 1/3] Fix possible buffer overflow for gsn_restart file path

Neels Hofmeyr nhofmeyr at sysmocom.de
Thu Sep 15 13:06:38 UTC 2016


For strncat, to obtain n, one must not subtract the length of what is appended,
but the length of what is already written from the buffer size.

Verified with this little test program:

 #include <stdio.h>
 #include <string.h>

 int main() {
   char buf[20];
   strncpy(buf, "123", 10);
   strncat(buf, "456789012345", 10 - strlen(buf));
   printf("%s\n", buf);
   return 0;
 }

It prints "1234567890".
---
 gtp/gtp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gtp/gtp.c b/gtp/gtp.c
index 12cb492..55a8ce4 100644
--- a/gtp/gtp.c
+++ b/gtp/gtp.c
@@ -650,7 +650,7 @@ static void log_restart(struct gsn_t *gsn)
 
 	filename[NAMESIZE - 1] = 0;	/* No null term. guarantee by strncpy */
 	strncpy(filename, gsn->statedir, NAMESIZE - 1);
-	strncat(filename, RESTART_FILE, NAMESIZE - 1 - sizeof(RESTART_FILE));
+	strncat(filename, RESTART_FILE, NAMESIZE - 1 - strlen(filename));
 
 	i = umask(022);
 
-- 
2.1.4



More information about the osmocom-net-gprs mailing list