compat/inet_ntop: fix off-by-one in inet_ntop4

Our compat inet_ntop4 function writes to a temporary buffer
with snprintf, and then uses strcpy to put the result into
the final "dst" buffer. We check the return value of
snprintf against the size of "dst", but fail to account for
the NUL terminator. As a result, we may overflow "dst" with
a single NUL. In practice, this doesn't happen because the
output of inet_ntop is limited, and we provide buffers that
are way oversized.

We can fix the off-by-one check easily, but while we are
here let's also use strlcpy for increased safety, just in
case there are other bugs lurking.

As a side note, this compat code seems to be BSD-derived.
Searching for "vixie inet_ntop" turns up NetBSD's latest
version of the same code, which has an identical fix (and
switches to strlcpy, too!).

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

diff --git a/compat/inet_ntop.c b/compat/inet_ntop.c
index 90b7cc45f33411bbc39cd731ca3e43288cb40b69..68307262be04955993590e32daecc08fcf7eda60 100644 (file)
--- a/compat/inet_ntop.c
+++ b/compat/inet_ntop.c
@@ -53,11 +53,11 @@ inet_ntop4(const u_char *src, char *dst, size_t size)
        nprinted = snprintf(tmp, sizeof(tmp), fmt, src[0], src[1], src[2], src[3]);
        if (nprinted < 0)
                return (NULL);  /* we assume "errno" was set by "snprintf()" */
-       if ((size_t)nprinted > size) {
+       if ((size_t)nprinted >= size) {
                errno = ENOSPC;
                return (NULL);
        }
-       strcpy(dst, tmp);
+       strlcpy(dst, tmp, size);
        return (dst);
 }
 
@@ -154,7 +154,7 @@ inet_ntop6(const u_char *src, char *dst, size_t size)
                errno = ENOSPC;
                return (NULL);
        }
-       strcpy(dst, tmp);
+       strlcpy(dst, tmp, size);
        return (dst);
 }
 #endif