Limit the risk of `buf' overrun in ping.c when printing hostnames.

Note, this is not really a security risk, because the buffer in question is a static variable in the data segment and not on the stack, and hence cannot subert the flow of execution in any way. About the worst case was that if you pinged a long hostname, ping could coredump. Pointed out on: bugtraq (listserv@netspace.org)
author: peter <peter@FreeBSD.org> 1996-07-28 20:29:10 +0000
committer: peter <peter@FreeBSD.org> 1996-07-28 20:29:10 +0000
commit: ca46dbbc1cc6bec00272a095140960f29822e1c1 (patch)
tree: 6e3cea6cff1002cc56f9033f62c7a6e967af8033 /sbin
parent: 5e197e7c26ceb2b04625b7a0b48f433206d93b70 (diff)
download: FreeBSD-src-ca46dbbc1cc6bec00272a095140960f29822e1c1.zip
FreeBSD-src-ca46dbbc1cc6bec00272a095140960f29822e1c1.tar.gz
1 files changed, 3 insertions, 2 deletions
diff --git a/sbin/ping/ping.c b/sbin/ping/ping.c
index 3545c31..de19a45 100644
--- a/sbin/ping/ping.c
+++ b/sbin/ping/ping.c
@@ -959,9 +959,10 @@ pr_addr(l)
 
 	if ((options & F_NUMERIC) ||
 	    !(hp = gethostbyaddr((char *)&l, 4, AF_INET)))
-		(void)sprintf(buf, "%s", inet_ntoa(*(struct in_addr *)&l));
+		(void)snprintf(buf, sizeof(buf), "%s",
+		    inet_ntoa(*(struct in_addr *)&l));
 	else
-		(void)sprintf(buf, "%s (%s)", hp->h_name,
+		(void)snprintf(buf, sizeof(buf), "%s (%s)", hp->h_name,
 		    inet_ntoa(*(struct in_addr *)&l));
 	return(buf);
 }
author	peter <peter@FreeBSD.org>	1996-07-28 20:29:10 +0000
committer	peter <peter@FreeBSD.org>	1996-07-28 20:29:10 +0000
commit	ca46dbbc1cc6bec00272a095140960f29822e1c1 (patch)
tree	6e3cea6cff1002cc56f9033f62c7a6e967af8033 /sbin
parent	5e197e7c26ceb2b04625b7a0b48f433206d93b70 (diff)
download	FreeBSD-src-ca46dbbc1cc6bec00272a095140960f29822e1c1.zip FreeBSD-src-ca46dbbc1cc6bec00272a095140960f29822e1c1.tar.gz