getpass fgets check
Joakim Tjernlund
joakim.tjernlund at transmode.se
Tue Dec 20 08:43:48 UTC 2011
> From: Daniel Wainwright <wainwright.daniel at gmail.com>
> To: uclibc at uclibc.org
> Date: 2011/12/20 08:44
> Subject: getpass fgets check
> Sent by: uclibc-bounces at uclibc.org
>
> Hi,
>
> I believe there is a simple error in getpass.c, line 80:
>
>
>
> static char buf[PWD_BUFFER_SIZE];
>
> ...
>
> /* Read the password. */
> fgets (buf, PWD_BUFFER_SIZE-1, in);
> if (buf != NULL)
>
> ...
>
>
>
> So the result of fgets is not being checked here, results in reading the
> buffer uninitialised below.
yes, and I think(if max passwd len is important) that it should read
fgets (buf, PWD_BUFFER_SIZE, in)
as fgets man page says:
fgets() reads in at most one less than size characters from stream and
stores them into the buffer pointed to by s.
Jocke
More information about the uClibc
mailing list