From mboxrd@z Thu Jan  1 00:00:00 1970
Message-ID: <518935cf94deb137205a6f672a01c3ee@rei2.9hal>
Date: Sun,  9 Sep 2012 00:27:04 +0200
From: cinap_lenrek@gmx.de
To: 9fans@9fans.net
In-Reply-To: <CAJSxfmJczMAmhqQj7wBA_0fafExDUL9kR7R_-cVnSnz8PQqfcA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Subject: Re: [9fans] dns
Topicbox-Message-UUID: b797f080-ead7-11e9-9d60-3106f5b1d025

its pretty simple, just look where i made the <--- arrow in
my original post.

a patch would might look like this:

static int
fillinds(DS *ds, Dest *dp)
{
	Conn *conn;
	if (dp->winner < 0)
		return -1;
	conn = &dp->conn[dp->winner];
	if (dp->cfdp)
		*ds->cfdp = conn->cfd;
	if (ds->dir) {
-		strncpy(ds->dir, conn->dir, NETPATHLEN);
-		ds->dir[NETPATHLEN] = '\0';
+		strncpy(ds->dir, conn->dir, NETPATHLEN-1);
+		ds->dir[NETPATHLEN-1] = '\0';
	}
	return conn->dfd;
}

to be clear, everyone seems to get confused with conn->dir vs ds->dir.
conn->dir has NETPATHLEN+1 capacity (why? makes no sense..). theres no
overflow at conn->dir. but ds->dir is a pointer to the connection dir
string passed by the caller of dial(). this buffer is just 40 (NETPATHLEN)
bytes long (thats its required minimum size), so doing:

	ds->dir[NETPATHLEN] = '\0';

will write beyond it.

theres no patch yet. geoff is notified of the issue.

--
cinap