changeset 35394:7bad316da87a

stream ftp: Pass full buffer size to snprintf Previously the buffer size was always passed as one less than the underlying buffer's size. This is not using the underlying buffer to its full potential according to the C99 standard. The last byte of the buffers were never used. No vulnerabilities should have been caused by this mistake because the strings stored in the buffers were zero terminated at all times. Neither were out-of-array writes nor reads possible.
author al
date Mon, 26 Nov 2012 23:36:00 +0000
parents 67de02ade8af
children e740eaf25f32
files stream/stream_ftp.c
diffstat 1 files changed, 6 insertions(+), 6 deletions(-) [+]
line wrap: on
line diff
--- a/stream/stream_ftp.c	Mon Nov 26 19:50:32 2012 +0000
+++ b/stream/stream_ftp.c	Mon Nov 26 23:36:00 2012 +0000
@@ -281,7 +281,7 @@
 
   sscanf(par+1,"%u,%u,%u,%u,%u,%u",&num[0],&num[1],&num[2],
 	 &num[3],&num[4],&num[5]);
-  snprintf(str,127,"%d.%d.%d.%d",num[0],num[1],num[2],num[3]);
+  snprintf(str,sizeof(str),"%d.%d.%d.%d",num[0],num[1],num[2],num[3]);
   fd = connect2Server(str,(num[4]<<8)+num[5],0);
 
   if(fd < 0)
@@ -301,7 +301,7 @@
   if(s->fd < 0) return 0;
 
   if(newpos > 0) {
-    snprintf(p->cmd_buf,CMD_BUFSIZE - 1,"REST %"PRId64, (int64_t)newpos);
+    snprintf(p->cmd_buf,CMD_BUFSIZE,"REST %"PRId64, (int64_t)newpos);
 
     resp = FtpSendCmd(p->cmd_buf,p,rsp_txt);
     if(resp != 3) {
@@ -311,7 +311,7 @@
   }
 
   // Get the file
-  snprintf(p->cmd_buf,CMD_BUFSIZE - 1,"RETR %s",p->filename);
+  snprintf(p->cmd_buf,CMD_BUFSIZE,"RETR %s",p->filename);
   resp = FtpSendCmd(p->cmd_buf,p,rsp_txt);
 
   if(resp != 1) {
@@ -464,12 +464,12 @@
   }
 
   // Login
-  snprintf(p->cmd_buf,CMD_BUFSIZE - 1,"USER %s",p->user);
+  snprintf(p->cmd_buf,CMD_BUFSIZE,"USER %s",p->user);
   resp = FtpSendCmd(p->cmd_buf,p,rsp_txt);
 
   // password needed
   if(resp == 3) {
-    snprintf(p->cmd_buf,CMD_BUFSIZE - 1,"PASS %s",p->pass);
+    snprintf(p->cmd_buf,CMD_BUFSIZE,"PASS %s",p->pass);
     resp = FtpSendCmd(p->cmd_buf,p,rsp_txt);
     if(resp != 2) {
       mp_msg(MSGT_OPEN,MSGL_ERR, "[ftp] command '%s' failed: %s\n",p->cmd_buf,rsp_txt);
@@ -491,7 +491,7 @@
   }
 
   // Get the filesize
-  snprintf(p->cmd_buf,CMD_BUFSIZE - 1,"SIZE %s",p->filename);
+  snprintf(p->cmd_buf,CMD_BUFSIZE,"SIZE %s",p->filename);
   resp = FtpSendCmd(p->cmd_buf,p,rsp_txt);
   if(resp != 2) {
     mp_msg(MSGT_OPEN,MSGL_WARN, "[ftp] command '%s' failed: %s\n",p->cmd_buf,rsp_txt);