From 5f32304805bfa0b5cb20cb49b987959026edde02 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Sat, 7 Mar 2009 22:08:05 +0000 Subject: [PATCH] - (Mar 7 2009) Olivier Hervieu pointed out a flaw in the libssh2_channel_x11_req_ex() function that made it produce a crappy random chunk of data. Peter Stuge improved the fix to not do out-of-boundary writes. I (Daniel Stenberg) replaced the snprintf() with a plain sprintf() since the size argument wasn't adding anything anyway. --- NEWS | 6 ++++++ src/channel.c | 8 ++++++-- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/NEWS b/NEWS index 3cc1539..3e7548b 100644 --- a/NEWS +++ b/NEWS @@ -1,4 +1,10 @@ +- (Mar 7 2009) Olivier Hervieu pointed out a flaw in the + libssh2_channel_x11_req_ex() function that made it produce a crappy random + chunk of data. Peter Stuge improved the fix to not do out-of-boundary + writes. I (Daniel Stenberg) replaced the snprintf() with a plain sprintf() + since the size argument wasn't adding anything anyway. + - (Feb 23 2009) Added libssh2_version() - (Feb 20 2009) libssh2_channel_direct_tcpip_ex() bug #1902169 fixed, which diff --git a/src/channel.c b/src/channel.c index 0fa6306..57e3580 100644 --- a/src/channel.c +++ b/src/channel.c @@ -1093,11 +1093,15 @@ libssh2_channel_x11_req_ex(LIBSSH2_CHANNEL * channel, int single_connection, memcpy(s, auth_cookie, cookie_len); } else { int i; - unsigned char buffer[LIBSSH2_X11_RANDOM_COOKIE_LEN / 2]; + /* note: the extra +1 below is necessary since the sprintf() + loop will always write 3 bytes so the last one will write + the trailing zero at the LIBSSH2_X11_RANDOM_COOKIE_LEN/2 + border */ + unsigned char buffer[(LIBSSH2_X11_RANDOM_COOKIE_LEN / 2) +1]; libssh2_random(buffer, LIBSSH2_X11_RANDOM_COOKIE_LEN / 2); for(i = 0; i < (LIBSSH2_X11_RANDOM_COOKIE_LEN / 2); i++) { - snprintf((char *) s + (i * 2), 2, "%02X", buffer[i]); + sprintf((char *)&s[i*2], "%02X", buffer[i]); } } s += cookie_len;