Month of Kali Off-By-Ones #1 #2 # 3 #4

The following 4 code snippets have classic off-by-one bugs. They don't explicitly nul terminate strings after a strncpy. If strncpy reaches its buffer max, it won't nul terminate. In fact, strncpy's behaviour is quite problematic and prone to this type of bug so OpenBSD introduced strlcpy many years ago and other OSs have done the same.

source package: libaria #1

char myWaitingForDir[2048];

AREXPORT void ArClientFileLister::changeToAbsDir(const char *dir)
  strncpy(myWaitingForDir, dir, sizeof(myWaitingForDir));
  //printf("Getting %s\n", myWaitingForDir);
  std::string waitingFor = myWaitingForDir;
  //myClient->requestOnceWithString("getDirListing", waitingFor.c_str());

source package: xenomai #2

static inline void xntimer_set_name(xntimer_t *timer, const char *name)
        strncpy(timer->name, name, sizeof(timer->name));

source package: service-wrapper #3

    char localAddr[128];
        addr.S_un.S_addr = (u_long)tcpTable->table[i].dwLocalAddr;
        strncpy(localAddr, inet_ntoa(addr), sizeof(localAddr));
        localPort = ntohs((u_short)tcpTable->table[i].dwLocalPort);
        addr.S_un.S_addr = (u_long)tcpTable->table[i].dwRemoteAddr;
        strncpy(remoteAddr, inet_ntoa(addr), sizeof(remoteAddr));

is this a bug? inet_ntoa will be quite small and nul terminate.. I class it as a bad development practice.

source package: nfs-utils #4

        static char buf[PATH_MAX];
        struct stat st;
        char *path;

        /* First: test length of name and whether it exists */
        if (lstat(parentdir, &st) == -1) {
                (void)fprintf(stderr, "%s: Failed to stat %s: %s",
                                progname, parentdir, strerror(errno));
                return false;

        /* Ensure we have a clean directory pathname */
        strncpy(buf, parentdir, sizeof(buf));
        path = dirname(buf);
        if (*path == '.') {
                (void)fprintf(stderr, "%s: Unusable directory %s",
                                progname, parentdir);
                return false;


Popular posts from this blog

NetBSD kernel wscons IOCTL vulnerable bug class

InfoSect's Month of Pointless Bugs (#1, #2)

InfoSect's Month of Pointless Bugs (#3)