Although the function checks the length, if the code was in error, there
could potentially be a buffer overrun with the use of sprintf. Instead replace
with snprintf.
Signed-off-by: Steven Dake <sdake_at_redhat.com>
---
src/knownhost.c | 8 ++++----
1 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/knownhost.c b/src/knownhost.c
index 193bda3..c58dfbb 100644
--- a/src/knownhost.c
+++ b/src/knownhost.c
@@ -997,10 +997,10 @@ knownhost_writeline(LIBSSH2_KNOWNHOSTS *hosts,
if(nlen <= buflen)
if(node->comment)
- sprintf(buf, "|1|%s|%s%s %s %s\n", saltalloc, namealloc,
+ snprintf(buf, buflen, "|1|%s|%s%s %s %s\n", saltalloc, namealloc,
keytype, node->key, node->comment);
else
- sprintf(buf, "|1|%s|%s%s %s\n", saltalloc, namealloc,
+ snprintf(buf, buflen, "|1|%s|%s%s %s\n", saltalloc, namealloc,
keytype, node->key);
else
rc = _libssh2_error(hosts->session, LIBSSH2_ERROR_BUFFER_TOO_SMALL,
@@ -1016,10 +1016,10 @@ knownhost_writeline(LIBSSH2_KNOWNHOSTS *hosts,
if(nlen <= buflen)
/* these types have the plain name */
if(node->comment)
- sprintf(buf, "%s%s %s %s\n", node->name, keytype, node->key,
+ snprintf(buf, buflen, "%s%s %s %s\n", node->name, keytype, node->key,
node->comment);
else
- sprintf(buf, "%s%s %s\n", node->name, keytype, node->key);
+ snprintf(buf, buflen, "%s%s %s\n", node->name, keytype, node->key);
else
rc = _libssh2_error(hosts->session, LIBSSH2_ERROR_BUFFER_TOO_SMALL,
"Known-host write buffer too small");
--
1.7.7.6
_______________________________________________
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
Received on 2012-03-06