You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Found by Coverity. A string from the imapd.conf file is copied into a fixed size data structure with the only length check being strncpy(), which might leave an unterminated string.
427 fname = libcyrus_config_getstring(CYRUSOPT_PTLOADER_SOCK);
At conditional (11): "!fname" taking true path
428 if (!fname) {
429 tofree = strconcat(config_dir, PTS_DBSOCKET, (char *)NULL);
430 fname = tofree;
431 }
432
433 memset((char *)&srvaddr, 0, sizeof(srvaddr));
434 srvaddr.sun_family = AF_UNIX;
Event fixed_size_dest: You might overrun the 108 byte fixed-size string "srvaddr.sun_path" by copying "fname" without checking the length.
435 strcpy(srvaddr.sun_path, fname);
436 r = nb_connect(s, (struct sockaddr *)&srvaddr, sizeof(srvaddr), PT_TIMEOUT_SEC);
From: Greg Banks
Bugzilla-Id: 3540
Version: 2.4.x (next)
Owner: Bron Gondwana
The text was updated successfully, but these errors were encountered: