File rad-buffer-overflow.diff of Package radiusclient-ng
From: Jan Engelhardt <jengelh@medozas.de>
Date: 2011-10-09 16:47:35.014125750 +0200
Upstream: dead
src: resolve crap code
I: Statement might be overflowing a buffer in strncat. Common mistake:
BAD: strncat(buffer,charptr,sizeof(buffer)) is wrong, it takes the left over size as 3rd argument
GOOD: strncat(buffer,charptr,sizeof(buffer)-strlen(buffer)-1)
E: radiusclient-ng bufferoverflowstrncat clientid.c:114:9
E: radiusclient-ng bufferoverflowstrncat radexample.c:63:10
E: radiusclient-ng bufferoverflowstrncat radius.c:107:10
I: Program returns random data in a function
E: radiusclient-ng no-return-in-nonvoid-function radstatus.c:114
---
lib/clientid.c | 6 +++---
src/radexample.c | 12 +++++-------
src/radius.c | 9 +++++----
src/radstatus.c | 1 +
4 files changed, 14 insertions(+), 14 deletions(-)
Index: radiusclient-ng-0.5.6/lib/clientid.c
===================================================================
--- radiusclient-ng-0.5.6.orig/lib/clientid.c
+++ radiusclient-ng-0.5.6/lib/clientid.c
@@ -109,9 +109,9 @@ UINT4 rc_map2id(rc_handle *rh, char *nam
*ttyname = '\0';
if (*name != '/')
- strcpy(ttyname, "/dev/");
-
- strncat(ttyname, name, sizeof(ttyname));
+ snprintf(ttyname, sizeof(ttyname), "/dev/%s", name);
+ else
+ snprintf(ttyname, sizeof(ttyname), "%s", name);
for(p = rh->map2id_list; p; p = p->next)
if (!strcmp(ttyname, p->name)) return p->id;
Index: radiusclient-ng-0.5.6/src/radexample.c
===================================================================
--- radiusclient-ng-0.5.6.orig/src/radexample.c
+++ radiusclient-ng-0.5.6/src/radexample.c
@@ -52,16 +52,14 @@ main (int argc, char **argv)
/*
* Fill in User-Name
*/
-
- strncpy(username_realm, username, sizeof(username_realm));
-
/* Append default realm */
if ((strchr(username_realm, '@') == NULL) && default_realm &&
(*default_realm != '\0'))
- {
- strncat(username_realm, "@", sizeof(username_realm));
- strncat(username_realm, default_realm, sizeof(username_realm));
- }
+ snprintf(username_realm, sizeof(username_realm),
+ "%s@%s", username, default_realm);
+ else
+ snprintf(username_realm, sizeof(username_realm),
+ "%s", username);
if (rc_avpair_add(rh, &send, PW_USER_NAME, username_realm, -1, 0) == NULL)
return ERROR_RC;
Index: radiusclient-ng-0.5.6/src/radius.c
===================================================================
--- radiusclient-ng-0.5.6.orig/src/radius.c
+++ radiusclient-ng-0.5.6/src/radius.c
@@ -102,10 +102,11 @@ LFUNC auth_radius(rc_handle *rh, UINT4 c
if ((strchr(username_realm, '@') == NULL) && default_realm &&
((*default_realm) != '\0'))
- {
- strncat(username_realm, "@", sizeof(username_realm));
- strncat(username_realm, default_realm, sizeof(username_realm));
- }
+ snprintf(username_realm, sizeof(username_realm),
+ "%s@%s", username, default_realm);
+ else
+ snprintf(username_realm, sizeof(username_realm),
+ "%s", username);
if (rc_avpair_add(rh, &send, PW_USER_NAME, username_realm, -1, 0) == NULL)
return NULL;
Index: radiusclient-ng-0.5.6/src/radstatus.c
===================================================================
--- radiusclient-ng-0.5.6.orig/src/radstatus.c
+++ radiusclient-ng-0.5.6/src/radstatus.c
@@ -111,4 +111,5 @@ int main (int argc, char **argv)
fputs(msg, stdout);
}
}
+ return EXIT_SUCCESS;
}