diff options
author | Dongsun Lee <ds73.lee@samsung.com> | 2017-07-24 16:13:29 +0900 |
---|---|---|
committer | Dongsun Lee <ds73.lee@samsung.com> | 2017-07-25 07:00:08 +0900 |
commit | 4e59d3b303dca961bd100d856c6781487ec1e8db (patch) | |
tree | 8069f9e93aef61310cbc2581bfbd27668f106011 | |
parent | f69917404c3bb626c9f1a0ae4f13fd88bf6a2f6b (diff) | |
download | key-manager-4e59d3b303dca961bd100d856c6781487ec1e8db.tar.gz key-manager-4e59d3b303dca961bd100d856c6781487ec1e8db.tar.bz2 key-manager-4e59d3b303dca961bd100d856c6781487ec1e8db.zip |
prevent buffer overflow at strncatsubmit/tizen_4.0_unified/20170814.115522submit/tizen_4.0/20170814.115522submit/tizen_4.0/20170811.094300submit/tizen/20170725.005058accepted/tizen/unified/20170725.173916accepted/tizen/4.0/unified/20170816.020055accepted/tizen/4.0/unified/20170816.013625
- The third argument of strncat is the string length to be copied, not buffer size.
So the last byte should be left for NULL character which terminates string.
- The alias arguemnt is under control of a client,
this alias variable can be manipulated maliciouly by the client.
Change-Id: Iff4677af36b91d02b7127eb46360033a301b5f87
Signed-off-by: Dongsun Lee <ds73.lee@samsung.com>
-rw-r--r-- | src/manager/client-capi/ckmc-type.cpp | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/src/manager/client-capi/ckmc-type.cpp b/src/manager/client-capi/ckmc-type.cpp index 8ac6a2ba..1820aa9c 100644 --- a/src/manager/client-capi/ckmc-type.cpp +++ b/src/manager/client-capi/ckmc-type.cpp @@ -84,8 +84,8 @@ int ckmc_alias_new(const char *owner_id, const char *alias, char **full_alias) return CKMC_ERROR_OUT_OF_MEMORY; strncpy(_full_alias, owner_id, len + 1); - strncat(_full_alias, ckmc_owner_id_separator, len - strlen(_full_alias) + 1); - strncat(_full_alias, alias, len - strlen(_full_alias) + 1); + strncat(_full_alias, ckmc_owner_id_separator, len - strlen(_full_alias)); + strncat(_full_alias, alias, len - strlen(_full_alias)); *full_alias = _full_alias; |