From bdd058e36c994101001b3d0fa17f91ad4d299d43 Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Tue, 18 Aug 2020 13:18:52 +0200 Subject: [PATCH] imv-scanner: Fix potential buffer overflow While `pos` was moved to the end, `len` was not adjusted (i.e. set to 0) so later calls could write beyond the buffer. However, the last port written might have been incomplete, so instead we just reset the string. --- src/libimcv/plugins/imv_scanner/imv_scanner_agent.c | 1 - 1 file changed, 1 deletion(-) diff --git a/src/libimcv/plugins/imv_scanner/imv_scanner_agent.c b/src/libimcv/plugins/imv_scanner/imv_scanner_agent.c index 8dce4986f..247a76c3f 100644 --- a/src/libimcv/plugins/imv_scanner/imv_scanner_agent.c +++ b/src/libimcv/plugins/imv_scanner/imv_scanner_agent.c @@ -429,7 +429,6 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result, written = snprintf(pos, len, " %u", port); if (written < 0 || written >= len) { - pos += len - 1; *pos = '\0'; } else