summaryrefslogtreecommitdiffstats
path: root/compat/inet_ntop.c
diff options
context:
space:
mode:
authorJeff King <peff@peff.net>2015-09-24 23:06:06 +0200
committerJunio C Hamano <gitster@pobox.com>2015-09-25 19:18:18 +0200
commitdb85a8a9c2fb492d3cd528dbbcc52075c607cf79 (patch)
tree4327ae7e50a7f13fb1354203f6395d65d83aebfa /compat/inet_ntop.c
parenttest-dump-cache-tree: avoid overflow of cache-tree name (diff)
downloadgit-db85a8a9c2fb492d3cd528dbbcc52075c607cf79.tar.xz
git-db85a8a9c2fb492d3cd528dbbcc52075c607cf79.zip
compat/inet_ntop: fix off-by-one in inet_ntop4
Our compat inet_ntop4 function writes to a temporary buffer with snprintf, and then uses strcpy to put the result into the final "dst" buffer. We check the return value of snprintf against the size of "dst", but fail to account for the NUL terminator. As a result, we may overflow "dst" with a single NUL. In practice, this doesn't happen because the output of inet_ntop is limited, and we provide buffers that are way oversized. We can fix the off-by-one check easily, but while we are here let's also use strlcpy for increased safety, just in case there are other bugs lurking. As a side note, this compat code seems to be BSD-derived. Searching for "vixie inet_ntop" turns up NetBSD's latest version of the same code, which has an identical fix (and switches to strlcpy, too!). Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
Diffstat (limited to 'compat/inet_ntop.c')
-rw-r--r--compat/inet_ntop.c6
1 files changed, 3 insertions, 3 deletions
diff --git a/compat/inet_ntop.c b/compat/inet_ntop.c
index 90b7cc45f3..68307262be 100644
--- a/compat/inet_ntop.c
+++ b/compat/inet_ntop.c
@@ -53,11 +53,11 @@ inet_ntop4(const u_char *src, char *dst, size_t size)
nprinted = snprintf(tmp, sizeof(tmp), fmt, src[0], src[1], src[2], src[3]);
if (nprinted < 0)
return (NULL); /* we assume "errno" was set by "snprintf()" */
- if ((size_t)nprinted > size) {
+ if ((size_t)nprinted >= size) {
errno = ENOSPC;
return (NULL);
}
- strcpy(dst, tmp);
+ strlcpy(dst, tmp, size);
return (dst);
}
@@ -154,7 +154,7 @@ inet_ntop6(const u_char *src, char *dst, size_t size)
errno = ENOSPC;
return (NULL);
}
- strcpy(dst, tmp);
+ strlcpy(dst, tmp, size);
return (dst);
}
#endif