Package: clamav
Version: 0.92~dfsg-2
Severity: normal
Hi,
from clamav-milter/clamav-milter.c:
2278 cli_dbgmsg("pingServer%d: sending VERSION\n", serverNumber);
2279 if(send(sock, "VERSION\n", 8, 0) < 8) {
2280 perror("send");
2281 return close(sock);
2282 }
2283
2284 shutdown(sock, SHUT_WR);
2285
2286 nbytes = clamd_recv(sock, buf, sizeof(buf));
2287
2288 close(sock);
2289
2290 if(nbytes < 0) {
2291 perror("recv");
2292 return 0;
2293 }
2294 if(nbytes == 0)
2295 return 0;
2296
2297 buf[nbytes] = '\0';
If clamd_recv will read sizeof(buf) bytes you will have an off-by-one
in line 2297. The clamd_recv function does not prevent this because
its basically just a wrapper around recv.
This does not have any security impact except if this will ping a crafted
clamd :)
buf[nbytes-1] = '\0'; should do the trick.
Kind regards
Nico
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
