[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug-tar] Unterminated buffer in rtapelib.c
From: |
Leland Lucius |
Subject: |
[Bug-tar] Unterminated buffer in rtapelib.c |
Date: |
Fri, 27 Feb 2004 02:24:25 -0600 |
The seek and ioctl routines do not null terminate the buffers used to convert
operand_buffer. This
causes garbage date to follow the number in the data stream. This (untried)
fix should fix it:
Leland
--- rtapelib.c.orig 2003-10-04 13:18:02.000000000 -0500
+++ rtapelib.c 2004-02-27 02:19:14.000000000 -0600
@@ -601,10 +601,12 @@
rmt_lseek__ (int handle, off_t offset, int whence)
{
char command_buffer[COMMAND_BUFFER_SIZE];
- char operand_buffer[UINTMAX_STRSIZE_BOUND];
+ char operand_buffer[UINTMAX_STRSIZE_BOUND + 1];
uintmax_t u = offset < 0 ? - (uintmax_t) offset : (uintmax_t) offset;
char *p = operand_buffer + sizeof operand_buffer;
+ *--p = '\0';
+
do
*--p = '0' + (int) (u % 10);
while ((u /= 10) != 0);
@@ -642,12 +644,14 @@
case MTIOCTOP:
{
char command_buffer[COMMAND_BUFFER_SIZE];
- char operand_buffer[UINTMAX_STRSIZE_BOUND];
+ char operand_buffer[UINTMAX_STRSIZE_BOUND + 1];
uintmax_t u = (((struct mtop *) argument)->mt_count < 0
? - (uintmax_t) ((struct mtop *) argument)->mt_count
: (uintmax_t) ((struct mtop *) argument)->mt_count);
char *p = operand_buffer + sizeof operand_buffer;
+ *--p = '\0';
+
do
*--p = '0' + (int) (u % 10);
while ((u /= 10) != 0);
<<eof>>
- [Bug-tar] Unterminated buffer in rtapelib.c,
Leland Lucius <=