[ic] vlink MINIVEND_SOCKET patch
David Christensen
david at endpoint.com
Wed May 6 13:58:03 UTC 2020
>> On May 5, 2020, at 1:03 PM, Peter Ajamian <peter at pajamian.dhs.org> wrote:
>>
>> On 6/05/20 5:30 am, Peter wrote:
>>>>> Also, if strlen(lsocket) > sizeof(sa.sun_path), a truncated copy would end up being bunko, since it won’t refer to an actual valid path; would it be better to just check if strlen(lsocket) > sizeof(sa.sun_path) -1 and error out if so?
>>>>
>>>> Great point. No reason to proceed if the filename will be truncated.
>>> I agree, but I think we should do both, even though only one or the other is needed to prevent a buffer overflow both just makes doubly safe, and I tend to prefer to get rid of strcpy in favor of strncpy where I see it.
>>
>> This should patch both vlink.c and vlink.pl. I still haven't tested:
Looks good to me, thanks.
--
David Christensen
Senior Software and Database Engineer
End Point Corporation
david at endpoint.com
785-727-1171
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <https://www.interchangecommerce.org/pipermail/interchange-users/attachments/20200506/486bbe13/attachment.sig>
More information about the interchange-users
mailing list