Changeset 823671c


Ignore:
Timestamp:
Feb 11, 2009, 12:20:22 PM (11 years ago)
Author:
Nelson Elhage <nelhage@mit.edu>
Branches:
master, debian, release-1.4, release-1.5, release-1.6, release-1.7, release-1.8, release-1.9
Children:
f34dd65
Parents:
3538bc8
git-author:
Sam Hartman <hartmans@mit.edu> (02/10/09 18:07:17)
git-committer:
Nelson Elhage <nelhage@mit.edu> (02/11/09 12:20:22)
Message:
owl_zwrite_send_message: avoid buffer overflow with to

The variable to was set up with sprintf without bounds checking; use
dynamic allocation.
File:
1 edited

Legend:

Unmodified
Added
Removed
  • zwrite.c

    r3538bc8 r823671c  
    264264{
    265265  int i, j;
    266   char to[LINE];
     266  char *to = NULL;
    267267
    268268  if (z->message==NULL) return(-1);
     
    272272    for (i=0; i<j; i++) {
    273273      if (strcmp(z->realm, "")) {
    274         sprintf(to, "%s@%s", (char *) owl_list_get_element(&(z->recips), i), z->realm);
     274        to = owl_sprintf("%s@%s", (char *) owl_list_get_element(&(z->recips), i), z->realm);
    275275      } else {
    276         strcpy(to, owl_list_get_element(&(z->recips), i));
     276        to = owl_strdup( owl_list_get_element(&(z->recips), i));
    277277      }
    278278      send_zephyr(z->opcode, z->zsig, z->class, z->inst, to, z->message);
     279      owl_free(to);
     280      to = NULL;
    279281    }
    280282  } else {
    281     sprintf(to, "@%s", z->realm);
     283    to = owl_sprintf( "@%s", z->realm);
    282284    send_zephyr(z->opcode, z->zsig, z->class, z->inst, to, z->message);
    283285  }
     286  owl_free(to);
    284287  return(0);
    285288}
Note: See TracChangeset for help on using the changeset viewer.