projects / platform / core / security / key-manager.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: f699174)
prevent buffer overflow at strncat 11/140211/3 accepted/tizen/4.0/unified/20170816.013625 accepted/tizen/4.0/unified/20170816.020055 accepted/tizen/unified/20170725.173916 submit/tizen/20170725.005058 submit/tizen_4.0/20170811.094300 submit/tizen_4.0/20170814.115522 submit/tizen_4.0_unified/20170814.115522
authorDongsun Lee <ds73.lee@samsung.com>
Mon, 24 Jul 2017 07:13:29 +0000 (16:13 +0900)
committerDongsun Lee <ds73.lee@samsung.com>
Mon, 24 Jul 2017 22:00:08 +0000 (07:00 +0900)
- The third argument of strncat is the string length to be copied, not buffer size.
  So the last byte should be left for NULL character which terminates string.
- The alias arguemnt is under control of a client,
  this alias variable can be manipulated maliciouly by the client.

Change-Id: Iff4677af36b91d02b7127eb46360033a301b5f87
Signed-off-by: Dongsun Lee <ds73.lee@samsung.com>
src/manager/client-capi/ckmc-type.cpp patch | blob | history

diff --git a/src/manager/client-capi/ckmc-type.cpp b/src/manager/client-capi/ckmc-type.cpp
index 8ac6a2b..1820aa9 100644 (file)
--- a/src/manager/client-capi/ckmc-type.cpp
+++ b/src/manager/client-capi/ckmc-type.cpp
@@ -84,8 +84,8 @@ int ckmc_alias_new(const char *owner_id, const char *alias, char **full_alias)
                return CKMC_ERROR_OUT_OF_MEMORY;
 
        strncpy(_full_alias, owner_id, len + 1);
-       strncat(_full_alias, ckmc_owner_id_separator, len - strlen(_full_alias) + 1);
-       strncat(_full_alias, alias, len - strlen(_full_alias) + 1);
+       strncat(_full_alias, ckmc_owner_id_separator, len - strlen(_full_alias));
+       strncat(_full_alias, alias, len - strlen(_full_alias));
 
        *full_alias = _full_alias;
 
Domain: Security / Utilities;