diff options
| author | Matthias Andree <matthias.andree@gmx.de> | 2020-03-29 00:38:37 +0100 |
|---|---|---|
| committer | Matthias Andree <matthias.andree@gmx.de> | 2020-03-29 00:49:40 +0100 |
| commit | d9cfb9960dd1f39861e592d5eef4589810f2cb48 (patch) | |
| tree | f5697db99d98ae3765709441af067fc9ccdee2e1 /socket.c | |
| parent | e9f7a61890f9ecf6eb20490f6f9936dc6c9ea250 (diff) | |
| download | fetchmail-d9cfb9960dd1f39861e592d5eef4589810f2cb48.tar.gz fetchmail-d9cfb9960dd1f39861e592d5eef4589810f2cb48.tar.bz2 fetchmail-d9cfb9960dd1f39861e592d5eef4589810f2cb48.zip | |
Fix garbage at end of plugin string with %h and/or %p
Commit 418cda65 from merge request !5 fixed an input buffer overrun but at the
same time caused the terminating NUL byte in the output buffer to be written
too late, 2 bytes per placeholder.
Fix the size calculation for correctness, and use the output index
and not the output length to terminate the output string.
Fixes #16, reported by Stefan Thurner. [All references for Gitlab.]
Diffstat (limited to 'socket.c')
| -rw-r--r-- | socket.c | 5 |
1 files changed, 3 insertions, 2 deletions
@@ -104,7 +104,8 @@ static char *const *parse_plugin(const char *plugin, const char *host, const cha p = c; } - plugin_copy_len = plugin_len + host_len * host_count + service_len * service_count; + /* we need to discount 2 bytes for each placeholder */ + plugin_copy_len = plugin_len + (host_len - 2) * host_count + (service_len - 2) * service_count; plugin_copy = (char *)malloc(plugin_copy_len + 1); if (!plugin_copy) { @@ -129,7 +130,7 @@ static char *const *parse_plugin(const char *plugin, const char *host, const cha plugin_copy_offset++; } } - plugin_copy[plugin_copy_len] = 0; + plugin_copy[plugin_copy_offset] = 0; /* XXX FIXME - is this perhaps a bit too simplistic to chop down the argument strings without any respect to quoting? * better write a generic function that tracks arguments instead... */ |