Hello, sane-backends-1.0.18:
Here a fix for possible buffer overflows: -------------------------------------------------------------------- --- backend/as6e.c.orig 2004-10-03 16:21:45.000000000 +0200 +++ backend/as6e.c 2006-10-27 12:52:54.000000000 +0200 @@ -811,9 +811,11 @@ check_for_driver (const char *devname) dir[count - offset] = path[count]; count++; } - strncpy (fullname, dir, NAMESIZE); - strncat (fullname, "/", NAMESIZE); - strncat (fullname, devname, NAMESIZE); + /* use sizeof(fullname)-1 to make sure there is at least one padded null byte */ + strncpy (fullname, dir, sizeof(fullname)-1); + /* take into account that fullname already contains non-null bytes */ + strncat (fullname, "/", sizeof(fullname)-strlen(fullname)-1); + strncat (fullname, devname, sizeof(fullname)-strlen(fullname)-1); if (!stat (fullname, &statbuf)) { modes = statbuf.st_mode; -------------------------------------------------------------------- Background information: Anything looking like strncat(dest, src, sizeof(dest)) is wrong and might overflow the dest buffer depending on what is in dest before. The fix is to care about what is in dest before and to leave space for the terminating null byte: strncat(dest, src, sizeof(dest) - strlen(dest) - 1) A different but similar issue is strncpy(dest, src, sizeof(dest)) because if sizeof(src) >= sizeof(dest) there is no overflow of dest but there is no terminating null byte in dest and the next function which reads dest may read too much characters which may overflow another buffer. Kind Regards Johannes Meixner -- SUSE LINUX Products GmbH, Maxfeldstrasse 5 Mail: jsm...@suse.de 90409 Nuernberg, Germany WWW: http://www.suse.de/