From 0335cb3e98483511a20f8576f61e6abca5c2a98d Mon Sep 17 00:00:00 2001 From: Jan-Erik Rediger Date: Wed, 18 Nov 2015 14:36:52 +0100 Subject: [PATCH] Prevent buffer overflow when formatting the error strncat might copy n+1 bytes (n bytes from the source plus a terminating nul byte). Also strncat appends after the first found nul byte. But all we pass is a buffer we might not have zeroed out already. Closes #380 --- hiredis.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hiredis.h b/hiredis.h index fe267b9..53c83ca 100644 --- a/hiredis.h +++ b/hiredis.h @@ -98,8 +98,8 @@ * then GNU strerror_r returned an internal static buffer and we \ * need to copy the result into our private buffer. */ \ if (err_str != (buf)) { \ - buf[(len)] = '\0'; \ - strncat((buf), err_str, ((len) - 1)); \ + strncpy((buf), err_str, ((len) - 1)); \ + buf[(len)-1] = '\0'; \ } \ } while (0) #endif