devproc buffer overflow, strncpy

in devproc status read handler the p->status, p->text and p->user could overflow the local statbuf buffer as they where copied into it with code like: memmove(statbuf+someoff, p->text, strlen(p->text)). now using readstr() which will truncate if the string is too long. make strncpy() usage consistent, make sure results are always null terminated.
author: cinap_lenrek <cinap_lenrek@gmx.de> 2012-10-01 02:52:05 +0200
committer: cinap_lenrek <cinap_lenrek@gmx.de> 2012-10-01 02:52:05 +0200
commit: 9e7ecc41d56148866725e26c872909823d515963 (patch)
tree: deade257be67db80e2f6f49323cc8dd56fcb370d /sys/src/9/port/netif.c
parent: 347ac6ef58d82e714358935568abcffd3509cfe8 (diff)
1 files changed, 6 insertions, 3 deletions
diff --git a/sys/src/9/port/netif.c b/sys/src/9/port/netif.c
index 57e90c426..444ef3907 100644
--- a/sys/src/9/port/netif.c
+++ b/sys/src/9/port/netif.c
@@ -374,8 +374,10 @@ netifwstat(Netif *nif, Chan *c, uchar *db, int n)
 		free(dir);
 		error(Eshortstat);
 	}
-	if(!emptystr(dir[0].uid))
-		strncpy(f->owner, dir[0].uid, KNAMELEN);
+	if(!emptystr(dir[0].uid)){
+		strncpy(f->owner, dir[0].uid, KNAMELEN-1);
+		f->owner[KNAMELEN-1] = 0;
+	}
 	if(dir[0].mode != ~0UL)
 		f->mode = dir[0].mode;
 	free(dir);
@@ -471,7 +473,8 @@ netown(Netfile *p, char *o, int omode)
 			return -1;
 		}
 	}
-	strncpy(p->owner, o, KNAMELEN);
+	strncpy(p->owner, o, KNAMELEN-1);
+	p->owner[KNAMELEN-1] = 0;
 	p->mode = 0660;
 	unlock(&netlock);
 	return 0;
author	cinap_lenrek <cinap_lenrek@gmx.de>	2012-10-01 02:52:05 +0200
committer	cinap_lenrek <cinap_lenrek@gmx.de>	2012-10-01 02:52:05 +0200
commit	9e7ecc41d56148866725e26c872909823d515963 (patch)
tree	deade257be67db80e2f6f49323cc8dd56fcb370d /sys/src/9/port/netif.c
parent	347ac6ef58d82e714358935568abcffd3509cfe8 (diff)