- changed status to resolved
buffer overflows in cm_msg()
Issue #176
resolved
There are at least 2 buffer overflows in cm_msg()
1) cm_msg_format() uses sprintf() instead of snprintf() and does not respect sizeof_message. also should add: assert(strlen(message)<sizeof_message)
2) cm_msg_buffer() does not ensure that we do not overflow the ring buffer: it is created with max message length 1024 and we should ensure we do not call rb_increment_wp() with message length bigger than that. plus we should ensure no write into the write pointer "wp" past 1024 bytes.
K.O.
Comments (2)
-
reporter -
reporter - Log in to comment
Fix bug 176, cm_msg_format() use vsnprintf().
→ <<cset cd2afd16afa7>>