From 660809fe7e597520d17deab9225f1b371c08d65c Mon Sep 17 00:00:00 2001 From: neilbrown Date: Mon, 10 Apr 2006 09:57:17 +0000 Subject: 2006-04-10 NeilBrown Various paranoia checks: gssd_proc.c: pass max_field sizes to sscanf to avoid buffer overflow svcgssd_proc.c: range_check name.length, to ensure name.length+1 doesn't wrap idmapd.c(nfsdcb): make sure at least one byte is read before zeroing the last byte that was read, otherwise memory corruption is possible. Found by SuSE security audit. --- utils/gssd/gssd_proc.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'utils/gssd/gssd_proc.c') diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c index bac0520..75a04f5 100644 --- a/utils/gssd/gssd_proc.c +++ b/utils/gssd/gssd_proc.c @@ -127,10 +127,10 @@ read_service_info(char *info_file_name, char **servicename, char **servername, goto fail; close(fd); - numfields = sscanf(buf,"RPC server: %s\n" - "service: %s %s version %s\n" - "address: %s\n" - "protocol: %s\n", + numfields = sscanf(buf,"RPC server: %127s\n" + "service: %127s %15s version %15s\n" + "address: %127s\n" + "protocol: %15s\n", dummy, service, program, version, address, -- cgit