[network-manager-applet] wep: fix a couple of potential buffer overflows

From: Lubomir Rintel <lkundrak src gnome org>
To: commits-list gnome org
Cc:
Subject: [network-manager-applet] wep: fix a couple of potential buffer overflows
Date: Tue, 8 Mar 2016 12:41:32 +0000 (UTC)
commit d99ac2db56ff76a24f488e8a2be73cf24a316219
Author: Lubomir Rintel <lkundrak v3 sk>
Date:   Tue Mar 8 11:16:31 2016 +0100

    wep: fix a couple of potential buffer overflows
    
    Coverity thinks we're no good at string manipulation.
    Can't argue with that.
    
    (Not a security issue; the user could overflow the buffer by typing a
    too long WEP key, but no privilege boundary is crossed.)
    
    CID 59920 (#1 of 1): Copy into fixed size buffer (STRING_OVERFLOW)
    2. fixed_size_dest: You might overrun the 65 byte fixed-size string
    sec->keys[sec->cur_index] by copying key without checking the length.
    
    CID 59919 (#1 of 1): Copy into fixed size buffer (STRING_OVERFLOW)
    1. fixed_size_dest: You might overrun the 65 byte fixed-size string
    sec->keys[sec->cur_index] by copying key without checking the length.
    
    CID 59918 (#1 of 1): Copy into fixed size buffer (STRING_OVERFLOW)
    4. fixed_size_dest: You might overrun the 65 byte fixed-size string
    sec->keys[i] by copying tmp without checking the length.

 src/wireless-security/ws-wep-key.c  |    6 +++---
 src/wireless-security/ws-wep-key.ui |    1 +
 2 files changed, 4 insertions(+), 3 deletions(-)
---
diff --git a/src/wireless-security/ws-wep-key.c b/src/wireless-security/ws-wep-key.c
index a95695b..3628d67 100644
--- a/src/wireless-security/ws-wep-key.c
+++ b/src/wireless-security/ws-wep-key.c
@@ -64,7 +64,7 @@ key_index_combo_changed_cb (GtkWidget *combo, WirelessSecurity *parent)
        entry = GTK_WIDGET (gtk_builder_get_object (parent->builder, "wep_key_entry"));
        key = gtk_entry_get_text (GTK_ENTRY (entry));
        if (key)
-               strcpy (sec->keys[sec->cur_index], key);
+               g_strlcpy (sec->keys[sec->cur_index], key, sizeof (sec->keys[sec->cur_index]));
        else
                memset (sec->keys[sec->cur_index], 0, sizeof (sec->keys[sec->cur_index]));
 
@@ -170,7 +170,7 @@ fill_connection (WirelessSecurity *parent, NMConnection *connection)
        widget = GTK_WIDGET (gtk_builder_get_object (parent->builder, "wep_key_entry"));
        passwd_entry = widget;
        key = gtk_entry_get_text (GTK_ENTRY (widget));
-       strcpy (sec->keys[sec->cur_index], key);
+       g_strlcpy (sec->keys[sec->cur_index], key, sizeof (sec->keys[sec->cur_index]));
 
        /* Blow away the old security setting by adding a clear one */
        s_wsec = (NMSettingWirelessSecurity *) nm_setting_wireless_security_new ();
@@ -228,7 +228,7 @@ update_secrets (WirelessSecurity *parent, NMConnection *connection)
        for (i = 0; s_wsec && i < 4; i++) {
                tmp = nm_setting_wireless_security_get_wep_key (s_wsec, i);
                if (tmp)
-                       strcpy (sec->keys[i], tmp);
+                       g_strlcpy (sec->keys[i], tmp, sizeof (sec->keys[i]));
        }
 
        widget = GTK_WIDGET (gtk_builder_get_object (parent->builder, "wep_key_entry"));
diff --git a/src/wireless-security/ws-wep-key.ui b/src/wireless-security/ws-wep-key.ui
index 2726290..62b11a5 100644
--- a/src/wireless-security/ws-wep-key.ui
+++ b/src/wireless-security/ws-wep-key.ui
@@ -66,6 +66,7 @@
           <object class="GtkEntry" id="wep_key_entry">
             <property name="visible">True</property>
             <property name="can_focus">True</property>
+            <property name="max_length">64</property>
             <property name="visibility">False</property>
             <property name="activates_default">True</property>
           </object>
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]