[Info-mtools] Buffer overflow in mclasserase.c (mtools 4.0.17)

info-mtools

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Info-mtools] Buffer overflow in mclasserase.c (mtools 4.0.17)

From:	Linards Ticmanis
Subject:	[Info-mtools] Buffer overflow in mclasserase.c (mtools 4.0.17)
Date:	Wed, 25 Apr 2012 12:14:49 +0200
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:11.0) Gecko/20120410 Thunderbird/11.0.1

Hello,

there's a buffer overflow in mclasserase.c as it exists in mtools
4.0.17. The char array "drivel" is written with a two character string
PLUS terminating zero byte, but it only has room for two bytes not
three. Without a fix, mclasserase crashes on (at least) Ubuntu Precise.

The offending line is line 147:

  sprintf( drivel, "%c:", tolower(drive) );

To fix it, please do this change:

--- cut here ---
diff -du mtools-4.0.17/mclasserase.c mtools-4.0.17-fixed/mclasserase.c
--- mtools-4.0.17/mclasserase.c 2009-08-29 17:22:08.000000000 +0200
+++ mtools-4.0.17-fixed/mclasserase.c   2012-04-25 12:03:09.905387247 +0200
@@ -90,7 +90,7 @@

   char cCardType[12];

-  char drivel[2];              /* Stores the drive letter */
+  char drivel[3];              /* Stores the drive letter */


   int i = 0;
--- cut here ---

Regards,
-- 
Linards Ticmanis

[Prev in Thread]

Current Thread

[Next in Thread]

[Info-mtools] Buffer overflow in mclasserase.c (mtools 4.0.17), Linards Ticmanis <=

Index(es):
- Date
- Thread