diff options
author | peter <peter@FreeBSD.org> | 1996-07-28 20:29:10 +0000 |
---|---|---|
committer | peter <peter@FreeBSD.org> | 1996-07-28 20:29:10 +0000 |
commit | ca46dbbc1cc6bec00272a095140960f29822e1c1 (patch) | |
tree | 6e3cea6cff1002cc56f9033f62c7a6e967af8033 /sbin/ping | |
parent | 5e197e7c26ceb2b04625b7a0b48f433206d93b70 (diff) | |
download | FreeBSD-src-ca46dbbc1cc6bec00272a095140960f29822e1c1.zip FreeBSD-src-ca46dbbc1cc6bec00272a095140960f29822e1c1.tar.gz |
Limit the risk of `buf' overrun in ping.c when printing hostnames.
Note, this is not really a security risk, because the buffer in question
is a static variable in the data segment and not on the stack, and hence
cannot subert the flow of execution in any way. About the worst case was
that if you pinged a long hostname, ping could coredump.
Pointed out on: bugtraq (listserv@netspace.org)
Diffstat (limited to 'sbin/ping')
-rw-r--r-- | sbin/ping/ping.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/sbin/ping/ping.c b/sbin/ping/ping.c index 3545c31..de19a45 100644 --- a/sbin/ping/ping.c +++ b/sbin/ping/ping.c @@ -959,9 +959,10 @@ pr_addr(l) if ((options & F_NUMERIC) || !(hp = gethostbyaddr((char *)&l, 4, AF_INET))) - (void)sprintf(buf, "%s", inet_ntoa(*(struct in_addr *)&l)); + (void)snprintf(buf, sizeof(buf), "%s", + inet_ntoa(*(struct in_addr *)&l)); else - (void)sprintf(buf, "%s (%s)", hp->h_name, + (void)snprintf(buf, sizeof(buf), "%s (%s)", hp->h_name, inet_ntoa(*(struct in_addr *)&l)); return(buf); } |