https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4450
--- Comment #2 from Jim Young <jyoung@xxxxxxx> 2010-02-02 20:01:45 PST ---
g_strlcpy() has an unwanted side effect. Regardless of the supplied len
g_strlcpy() returns the strlen() of the src buffer. Even if we only want to
copy one character from src, the entire src buffer will be walked to determine
its strlen().
http://library.gnome.org/devel/glib/unstable/glib-String-Utility-Functions.html#g-strlcpy
The glib implementation appears to be based on:
http://mail.gnome.org/archives/gtk-devel-list/2000-May/msg00029.html
g_strlcpy() assumes that src *IS* ASCII NUL terminated. If the src buffer is
not NUL terminated, g_strlcpy() *WILL* read past the end of the buffer.
In the use case for parsing the http header, ep_strndup() is called repeatedly
to pull individual chunks from a bigger buffer. I'm not certain that the
supplied buffer is actually NUL terminated. And even if the buffer is NUL
terminated, the return value of g_strlcpy() is ignored within ep_strndup() and
se_strndup().
Suggest reversion of SVN 30488 and perhaps undertake audit of other uses of
g_strlcpy().
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.