New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CID 401: STRING_OVERFLOW in ptload #1434

Closed
brong opened this Issue Aug 29, 2011 · 1 comment

Comments

Projects
None yet
2 participants
@brong
Contributor

brong commented Aug 29, 2011

From: Greg Banks
Bugzilla-Id: 3540
Version: 2.4.x (next)
Owner: Bron Gondwana

@brong

This comment has been minimized.

Show comment
Hide comment
@brong

brong Aug 29, 2011

Contributor

From: Greg Banks

Found by Coverity. A string from the imapd.conf file is copied into a fixed size data structure with the only length check being strncpy(), which might leave an unterminated string.

427 fname = libcyrus_config_getstring(CYRUSOPT_PTLOADER_SOCK);
At conditional (11): "!fname" taking true path
428 if (!fname) {
429 tofree = strconcat(config_dir, PTS_DBSOCKET, (char *)NULL);
430 fname = tofree;
431 }
432
433 memset((char *)&srvaddr, 0, sizeof(srvaddr));
434 srvaddr.sun_family = AF_UNIX;
Event fixed_size_dest: You might overrun the 108 byte fixed-size string "srvaddr.sun_path" by copying "fname" without checking the length.
435 strcpy(srvaddr.sun_path, fname);
436 r = nb_connect(s, (struct sockaddr *)&srvaddr, sizeof(srvaddr), PT_TIMEOUT_SEC);

Contributor

brong commented Aug 29, 2011

From: Greg Banks

Found by Coverity. A string from the imapd.conf file is copied into a fixed size data structure with the only length check being strncpy(), which might leave an unterminated string.

427 fname = libcyrus_config_getstring(CYRUSOPT_PTLOADER_SOCK);
At conditional (11): "!fname" taking true path
428 if (!fname) {
429 tofree = strconcat(config_dir, PTS_DBSOCKET, (char *)NULL);
430 fname = tofree;
431 }
432
433 memset((char *)&srvaddr, 0, sizeof(srvaddr));
434 srvaddr.sun_family = AF_UNIX;
Event fixed_size_dest: You might overrun the 108 byte fixed-size string "srvaddr.sun_path" by copying "fname" without checking the length.
435 strcpy(srvaddr.sun_path, fname);
436 r = nb_connect(s, (struct sockaddr *)&srvaddr, sizeof(srvaddr), PT_TIMEOUT_SEC);

@brong brong added IMAP P3 bug labels Dec 13, 2016

@brong brong self-assigned this Dec 13, 2016

@brong brong added the diceroll label Jun 27, 2017

@brong brong assigned elliefm and unassigned brong Jun 27, 2017

@elliefm elliefm closed this in 7b6b01a Jun 28, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment