Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

lsteamclinet: fixed potential stack-based buffer overflow in unixlib#8785

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Open
Reodus wants to merge1 commit intoValveSoftware:proton_10.0
base:proton_10.0
Choose a base branch
Loading
fromReodus:proton_10.0

Conversation

@Reodus
Copy link

This patch addresses a stack-based buffer overflow in thesteamclient_dos_to_unix_path function.

The original implementation usedstrcpy to copy thesrc string into a fixed-size stack buffer (char buffer[4096]) without bounds checking. This could lead to buffer overflow if the input string exceeds the buffer size, potentially causing crashes or unexpected behavior.

This fix replaces the unsafestrcpy call withstrncpy, and ensures null-termination by explicitly setting the last byte of the buffer to\0. This change mitigates the overflow risk while preserving the original logic of the function.

Summary of changes:

  • Replacedstrcpy(dst, src) withstrncpy(dst, src, sizeof(buffer) - 1)
  • Addeddst[sizeof(buffer) - 1] = '\0' to guarantee null-termination

@jammy3855
Copy link

Per the man page forstrncpy:

If the array pointed to by s2 is a string that is shorter than n
bytes, NUL characters shall be appended to the copy in the array
pointed to by s1, until n bytes in all are written.

This will copy unnecessary NUL characters ifsrc is shorter thansizeof(buffer) - 1
If we look atstrncat:

This function appends at most ssize non-null bytes from the array
pointed to by src, followed by a null character, to the end of the
string pointed to by dst.

strncat will not copy unnecessary NUL characters.

Per the Stack Overflow link below, the fix could look like:

dst[0] = '\0';strncat( dst, src, sizeof(buffer - 1) );

Butdst is already appropriately set a few lines up:

*dst = 0;

So the final fix would look like:

strncat( dst, src, sizeof(buffer - 1) );

Nevertheless, the current change does address the issue 😄

strncpy
strncat
Copying using strncat

Reodus reacted with thumbs up emoji

@Reodus
Copy link
Author

Per the man page forstrncpy:

If the array pointed to by s2 is a string that is shorter than n
bytes, NUL characters shall be appended to the copy in the array
pointed to by s1, until n bytes in all are written.

This will copy unnecessary NUL characters ifsrc is shorter thansizeof(buffer) - 1 If we look atstrncat:

This function appends at most ssize non-null bytes from the array
pointed to by src, followed by a null character, to the end of the
string pointed to by dst.

strncat will not copy unnecessary NUL characters.

Per the Stack Overflow link below, the fix could look like:

dst[0] = '\0';strncat( dst, src, sizeof(buffer - 1) );

Butdst is already appropriately set a few lines up:

*dst = 0;

So the final fix would look like:

strncat( dst, src, sizeof(buffer - 1) );

Nevertheless, the current change does address the issue 😄

strncpystrncatCopying using strncat

Good point about strncat — makes total sense and yeah, definitely cleaner than strncpy in this case. I’ve updated the patch to use that instead. Appreciate the suggestion!

jammy3855 reacted with thumbs up emoji

Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Reodus@jammy3855
[8]ページ先頭
©2009-2025 Movatter.jp