(Illustration by Gaich Muramatsu)
Hey, glibc just found this on fedora. A stack overrun of a few bytes in the sname variable in the coda server main routine. Its 20 bytes long, and at least one of the sprintfs writes at least 23 bytes to the buffer. The patch below fixes it. I suppose switching to snprintf would be better, but the code seems so unlikely to change further at this point, this just seemed a bit more straightforward Neil Signed-off-by: Neil Horman <nhorman_at_tuxdriver.com> srv.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/coda-src/vice/srv.cc b/coda-src/vice/srv.cc index e0c5144..d75cc52 100644 --- a/coda-src/vice/srv.cc +++ b/coda-src/vice/srv.cc @@ -315,7 +315,7 @@ void zombie(int sig) int main(int argc, char *argv[]) { - char sname[20]; + char sname[32]; int i; struct stat buff; PROCESS serverPid, resPid, smonPid, resworkerPid;Received on 2009-07-20 20:04:48