Gadu-Gadu security issues
Tomasz Wasilczyk
tomkiewi at gmail.com
Tue Dec 18 09:55:59 EST 2012
2012/12/18 Daniel Atallah <daniel.atallah at gmail.com>:
>>> CID 731948
>>> libpurple/protocols/gg/lib/dcc7.c:658
>>> strncpy((char*) s.filename, (char*) tmp->filename, GG_DCC7_FILENAME_LEN);
>>> * Buffer not null terminated (BUFFER_SIZE_WARNING)At (15): Calling
>>> strncpy with a maximum size argument of 255 bytes on destination array
>>> "s.filename" of size 255 bytes might leave the destination string
>>> unterminated.
>>
>> False positive, but not so obvious. I'll change strncpy to memcpy to
>> make this code look cleaner.
>
> Hmm... I'm missing why this is a false positive.
> Is tmp->filename guaranteed to be less than 255 bytes?
> Does s.filename have the last byte set to nul later?
s.filename is not a nul-terminated string, but const-length buffer
with some text padded with zeros. "s" is Gadu-Gadu protocol packet
struct - it will be sent as a whole via gg_send_packet.
More information about the security
mailing list