Gadu-Gadu security issues

Daniel Atallah daniel.atallah at gmail.com
Tue Dec 18 09:58:57 EST 2012


On Tue, Dec 18, 2012 at 9:55 AM, Tomasz Wasilczyk <tomkiewi at gmail.com> wrote:
> 2012/12/18 Daniel Atallah <daniel.atallah at gmail.com>:
>>>> CID 731948
>>>> libpurple/protocols/gg/lib/dcc7.c:658
>>>> strncpy((char*) s.filename, (char*) tmp->filename, GG_DCC7_FILENAME_LEN);
>>>>  * Buffer not null terminated (BUFFER_SIZE_WARNING)At (15): Calling
>>>> strncpy with a maximum size argument of 255 bytes on destination array
>>>> "s.filename" of size 255 bytes might leave the destination string
>>>> unterminated.
>>>
>>> False positive, but not so obvious. I'll change strncpy to memcpy to
>>> make this code look cleaner.
>>
>> Hmm... I'm missing why this is a false positive.
>> Is tmp->filename guaranteed to be less than 255 bytes?
>> Does s.filename have the last byte set to nul later?
>
> s.filename is not a nul-terminated string, but const-length buffer
> with some text padded with zeros. "s" is Gadu-Gadu protocol packet
> struct - it will be sent as a whole via gg_send_packet.

Aha, that makes sense.


More information about the security mailing list