- (djm) Security: fix off-by-one buffer overrun in fake-getnameinfo.c.

[openssh.git] / fake-getnameinfo.c

diff --git a/fake-getnameinfo.c b/fake-getnameinfo.c
index 867cf90b5a5e056b3469451a29e2a734cb895435..7b00981580a02d2bf14c972fea223c862df1b3f9 100644 (file)
--- a/fake-getnameinfo.c
+++ b/fake-getnameinfo.c
@@ -25,15 +25,15 @@ int getnameinfo(const struct sockaddr *sa, size_t salen, char *host,
                if (strlen(tmpserv) > servlen)
                        return EAI_MEMORY;
                else
-                       strcpy(serv, tmpserv);
+                       strlcpy(serv, tmpserv, servlen);
        }
 
        if (host) {
                if (flags & NI_NUMERICHOST) {
-                       if (strlen(inet_ntoa(sin->sin_addr)) > hostlen)
+                       if (strlen(inet_ntoa(sin->sin_addr)) >= hostlen)
                                return EAI_MEMORY;
 
-                       strcpy(host, inet_ntoa(sin->sin_addr));
+                       strlcpy(host, inet_ntoa(sin->sin_addr), hostlen);
                        return 0;
                } else {
                        hp = gethostbyaddr((char *)&sin->sin_addr, 
@@ -41,10 +41,10 @@ int getnameinfo(const struct sockaddr *sa, size_t salen, char *host,
                        if (hp == NULL)
                                return EAI_NODATA;
                        
-                       if (strlen(hp->h_name) > hostlen)
+                       if (strlen(hp->h_name) >= hostlen)
                                return EAI_MEMORY;
 
-                       strcpy(host, hp->h_name);
+                       strlcpy(host, hp->h_name, hostlen);
                        return 0;
                }
        }