its pretty simple, just look where i made the <--- arrow in
my original post.
a patch would might look like this:
static int
fillinds(DS *ds, Dest *dp)
{
Conn *conn;
if (dp->winner < 0)
return -1;
conn = &dp->conn[dp->winner];
if (dp->cfdp)
*ds->cfdp = conn->cfd;
if (ds->dir) {
- strncpy(ds->dir, conn->dir, NETPATHLEN);
- ds->dir[NETPATHLEN] = '\0';
+ strncpy(ds->dir, conn->dir, NETPATHLEN-1);
+ ds->dir[NETPATHLEN-1] = '\0';
}
return conn->dfd;
}
to be clear, everyone seems to get confused with conn->dir vs ds->dir.
conn->dir has NETPATHLEN+1 capacity (why? makes no sense..). theres no
overflow at conn->dir. but ds->dir is a pointer to the connection dir
string passed by the caller of dial(). this buffer is just 40 (NETPATHLEN)
bytes long (thats its required minimum size), so doing:
ds->dir[NETPATHLEN] = '\0';
will write beyond it.
theres no patch yet. geoff is notified of the issue.
--
cinap
