btw.. you´re still overwriting 1 byte after the bounds of output_base_name, output_base_name[sizeof(output_base_name)-1] = '\0'; will be sane... ----- Original Message ----- From: "Didier Arenzana" <darenzana@yahoo.fr> To: "Shaun Colley" <shaunige@yahoo.co.uk>; <bugtraq@securityfocus.com> Sent: Wednesday, April 07, 2004 5:03 AM Subject: Re: GNU Sharutils buffer overflow vulnerability. > --- Shaun Colley <shaunige@yahoo.co.uk> a écrit : > > Product: GNU Sharutils - > > Hello, > I've juste read your advisory, and I'd like to advise your patch is > incomplete: > > > [...] > > case 'o': > > - strcpy (output_base_name, optarg); > > + strncpy (output_base_name, optarg, > > sizeof(output_base_name)); > > You must add > > output_base_name[sizeof(output_base_name)]='\0' ; > > here, otherwize your string will not be null-termminated when optarg is too > long. > > Regards, > Didier. > > > > > > > > Yahoo! Mail : votre e-mail personnel et gratuit qui vous suit partout ! > Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/ > > Dialoguez en direct avec vos amis grâce à Yahoo! Messenger !Téléchargez Yahoo! Messenger sur http://fr.messenger.yahoo.com >
