From d134c6c5c5f740407fa8244b6a0b94fc50924986 Mon Sep 17 00:00:00 2001 From: David Malcolm Date: Tue, 15 Jan 2013 14:44:49 -0500 Subject: Fix buffer overflow in get_module() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit get_module() includes this scanf call: if (sscanf(buf, "%*d\t%*s\t%100s\t%*d\t%100s\n", driver, dev) > 0) { i.e. "%100s" for each of driver and dev. i.e. a maximum field width of 100 for each. However, this field width does not include the NUL terminator. Increase the size of driver and dev from 100 to 101 to allow for the NUL byte. This appears to have been present in the initial commit of the code (8d6ad996f5d60d569532cdba4febb19c69bdf488) Found by Braňo Náter using the "cppcheck" static analyzer. --- python-ethtool/ethtool.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/python-ethtool/ethtool.c b/python-ethtool/ethtool.c index b3fc65b..b31f609 100644 --- a/python-ethtool/ethtool.c +++ b/python-ethtool/ethtool.c @@ -500,7 +500,7 @@ static PyObject *get_module(PyObject *self __unused, PyObject *args) int eno = errno; FILE *file; int found = 0; - char driver[100], dev[100]; + char driver[101], dev[101]; close(fd); /* Before bailing, maybe it is a PCMCIA/PC Card? */ -- cgit