diff options
| author | Peter Wemm <peter@FreeBSD.org> | 1996-07-28 20:29:10 +0000 |
|---|---|---|
| committer | Peter Wemm <peter@FreeBSD.org> | 1996-07-28 20:29:10 +0000 |
| commit | efa38539495d4c97cbbab553df97583beeaeb2a2 (patch) | |
| tree | 6e3cea6cff1002cc56f9033f62c7a6e967af8033 /sbin/ping/ping.c | |
| parent | ef1c2ba16fbb102ec646dc48f37c77adb9cb451b (diff) | |
| download | src-efa38539495d4c97cbbab553df97583beeaeb2a2.tar.gz src-efa38539495d4c97cbbab553df97583beeaeb2a2.zip | |
Limit the risk of `buf' overrun in ping.c when printing hostnames.
Note, this is not really a security risk, because the buffer in question
is a static variable in the data segment and not on the stack, and hence
cannot subert the flow of execution in any way. About the worst case was
that if you pinged a long hostname, ping could coredump.
Pointed out on: bugtraq (listserv@netspace.org)
Notes
Notes:
svn path=/head/; revision=17320
Diffstat (limited to 'sbin/ping/ping.c')
| -rw-r--r-- | sbin/ping/ping.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/sbin/ping/ping.c b/sbin/ping/ping.c index 3545c319ec20..de19a4575d02 100644 --- a/sbin/ping/ping.c +++ b/sbin/ping/ping.c @@ -959,9 +959,10 @@ pr_addr(l) if ((options & F_NUMERIC) || !(hp = gethostbyaddr((char *)&l, 4, AF_INET))) - (void)sprintf(buf, "%s", inet_ntoa(*(struct in_addr *)&l)); + (void)snprintf(buf, sizeof(buf), "%s", + inet_ntoa(*(struct in_addr *)&l)); else - (void)sprintf(buf, "%s (%s)", hp->h_name, + (void)snprintf(buf, sizeof(buf), "%s (%s)", hp->h_name, inet_ntoa(*(struct in_addr *)&l)); return(buf); } |