On Sat, May 17, 2014 at 11:00, enh wrote: > inet_ntop4 incorrectly mixes a user-supplied size with a self-supplied > buffer: > > inet_ntop4(const u_char *src, char *dst, size_t size) > ... > char tmp[sizeof "255.255.255.255"]; > ... > l = snprintf(tmp, size, fmt, src[0], src[1], src[2], src[3]); > > so if i call inet_ntop(AF_INET, ... with a size larger than > INET_ADDRSTRLEN it'll overflow.
Thanks. I don't really understand the purpose of the tmp when it could just print into the buf directly, but I've left that alone for now.
