buffer overflow in the ssh method

While playing with the ssh-method, I found the following piece of code in the do_read_directory function: 

char line[LINE_LENGTH];
while (i<LINE_LENGTH) {
	if (end_of_line())
line[i] = 0;

(this is used to parse the output of a ls).
If the line is too long, we'll do a line[LINE_LENGTH] = 0; which is out of line bounds. line should be defined as char line[LINE_LENGTH+1].
That's a little worrying since it can be triggered from a remote site, but since the ssh method can't work unless ssh can log to the site without being asked a password, that's probably not critical.
I'm currently working on a patch for the ssh method which fixes that among other things (the main change being that it should correctly report when it did not manage to log to the specified ssh:// uri)


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]