Gadu-Gadu security issues

Daniel Atallah daniel.atallah at gmail.com
Tue Dec 18 09:49:21 EST 2012


On Tue, Dec 18, 2012 at 9:06 AM, Tomasz Wasilczyk <tomkiewi at gmail.com> wrote:
> I've checked all of these issues. Most of them are harmless, but I'm
> unsure about importance of vsnprintf related one. All of them are
> located in imported libgadu source code. Also, we don't use any code
> located in dcc(7).c files.
>
> Proposed patch attached, I can commit it when necessary. When should I
> push this to upstream libgadu dev team?

I'm not sure what the appropriate thing to do for this is, hopefully
someone else will have some thoughts on that.

>
> Comments below.
>
>> CID 731948
>> libpurple/protocols/gg/lib/dcc7.c:658
>> strncpy((char*) s.filename, (char*) tmp->filename, GG_DCC7_FILENAME_LEN);
>>  * Buffer not null terminated (BUFFER_SIZE_WARNING)At (15): Calling
>> strncpy with a maximum size argument of 255 bytes on destination array
>> "s.filename" of size 255 bytes might leave the destination string
>> unterminated.
>
> False positive, but not so obvious. I'll change strncpy to memcpy to
> make this code look cleaner.

Hmm... I'm missing why this is a false positive.
Is tmp->filename guaranteed to be less than 255 bytes?
Does s.filename have the last byte set to nul later?


More information about the security mailing list