# HG changeset patch # User al # Date 1353972960 0 # Node ID 7bad316da87add407f674fceb93ee77864c72309 # Parent 67de02ade8af2ca650d491d90cb4eff65310dfd4 stream ftp: Pass full buffer size to snprintf Previously the buffer size was always passed as one less than the underlying buffer's size. This is not using the underlying buffer to its full potential according to the C99 standard. The last byte of the buffers were never used. No vulnerabilities should have been caused by this mistake because the strings stored in the buffers were zero terminated at all times. Neither were out-of-array writes nor reads possible. diff -r 67de02ade8af -r 7bad316da87a stream/stream_ftp.c --- a/stream/stream_ftp.c Mon Nov 26 19:50:32 2012 +0000 +++ b/stream/stream_ftp.c Mon Nov 26 23:36:00 2012 +0000 @@ -281,7 +281,7 @@ sscanf(par+1,"%u,%u,%u,%u,%u,%u",&num[0],&num[1],&num[2], &num[3],&num[4],&num[5]); - snprintf(str,127,"%d.%d.%d.%d",num[0],num[1],num[2],num[3]); + snprintf(str,sizeof(str),"%d.%d.%d.%d",num[0],num[1],num[2],num[3]); fd = connect2Server(str,(num[4]<<8)+num[5],0); if(fd < 0) @@ -301,7 +301,7 @@ if(s->fd < 0) return 0; if(newpos > 0) { - snprintf(p->cmd_buf,CMD_BUFSIZE - 1,"REST %"PRId64, (int64_t)newpos); + snprintf(p->cmd_buf,CMD_BUFSIZE,"REST %"PRId64, (int64_t)newpos); resp = FtpSendCmd(p->cmd_buf,p,rsp_txt); if(resp != 3) { @@ -311,7 +311,7 @@ } // Get the file - snprintf(p->cmd_buf,CMD_BUFSIZE - 1,"RETR %s",p->filename); + snprintf(p->cmd_buf,CMD_BUFSIZE,"RETR %s",p->filename); resp = FtpSendCmd(p->cmd_buf,p,rsp_txt); if(resp != 1) { @@ -464,12 +464,12 @@ } // Login - snprintf(p->cmd_buf,CMD_BUFSIZE - 1,"USER %s",p->user); + snprintf(p->cmd_buf,CMD_BUFSIZE,"USER %s",p->user); resp = FtpSendCmd(p->cmd_buf,p,rsp_txt); // password needed if(resp == 3) { - snprintf(p->cmd_buf,CMD_BUFSIZE - 1,"PASS %s",p->pass); + snprintf(p->cmd_buf,CMD_BUFSIZE,"PASS %s",p->pass); resp = FtpSendCmd(p->cmd_buf,p,rsp_txt); if(resp != 2) { mp_msg(MSGT_OPEN,MSGL_ERR, "[ftp] command '%s' failed: %s\n",p->cmd_buf,rsp_txt); @@ -491,7 +491,7 @@ } // Get the filesize - snprintf(p->cmd_buf,CMD_BUFSIZE - 1,"SIZE %s",p->filename); + snprintf(p->cmd_buf,CMD_BUFSIZE,"SIZE %s",p->filename); resp = FtpSendCmd(p->cmd_buf,p,rsp_txt); if(resp != 2) { mp_msg(MSGT_OPEN,MSGL_WARN, "[ftp] command '%s' failed: %s\n",p->cmd_buf,rsp_txt);