[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug-glibc] PR 82 revisited
From: |
Jens-Uwe Mager |
Subject: |
[Bug-glibc] PR 82 revisited |
Date: |
Tue, 19 Sep 2000 14:31:15 +0200 |
The fix for the host name length problem introduced in PR#82 does itself
overrun the allocated buffer by one byte. The code in sunrpc/clnt_simp.c
is:
crp->oldhost = malloc(256);
and later:
(void) strncpy(crp->oldhost, host, 255);
crp->oldhost[256] = '\0';
The nul byte is written one byte beyond the allocated buffer, I would
suspect:
crp->oldhost[255] = '\0';
was meant here. The problem pops up if the program using callrpc is
debugged using efence.
--
Jens-Uwe Mager
HELIOS Software GmbH
Steinriede 3
30827 Garbsen
Germany
Phone: +49 5131 709320
FAX: +49 5131 709325
Internet: address@hidden
- [Bug-glibc] PR 82 revisited,
Jens-Uwe Mager <=