[Announce] GnuPG 1.4 and 2.0 buffer overflow

Claus Assmann ca+gnupg at esmtp.org
Mon Nov 27 19:46:28 CET 2006


> +    n = strlen(s) + (defname?strlen (defname):0) + 10;
>      prompt = xmalloc(n);
>      if( defname )
>         sprintf(prompt, "%s [%s]: ", s, defname );

Wouldn't it be more secure to replace sprintf with snprintf
(and the proper length restriction of course)?

         snprintf(prompt, n, "%s [%s]: ", s, defname );

(same for strcpy() -> strlcpy(), strcat() -> strlcat(), etc).



More information about the Gnupg-devel mailing list