Mailing List Archive

From:: Omar Polo <op@omarpolo.com>
Subject:: Re: whois: use getline(3) instead of fgetln(3)
To:: "Todd C. Miller" <millert@openbsd.org>
Cc:: tech@openbsd.org
Date:: Mon, 25 Mar 2024 12:15:06 +0100

Download raw body.

Thread

2024-03-24 20:48 Todd C. Miller:
whois: use getline(3) instead of fgetln(3)
- 2024-03-25 11:15 Omar Polo:
  whois: use getline(3) instead of fgetln(3)
- - 2024-03-25 15:53 Todd C. Miller:
    whois: use getline(3) instead of fgetln(3)

On 2024/03/24 14:48:35 -0600, Todd C. Miller <millert@openbsd.org> wrote:
> This simplifies the code and fixes a potential out of bounds read.
> 
>  - todd

reads fine to me, ok op@

side question as it's not introduced with this but shouldn't we also do

--- usr.bin/whois/whois.c
+++ usr.bin/whois/whois.c
@@ -275,7 +275,6 @@ whois(const char *query, const char *server, const cha
 
 		/* Verisign etc. */
 		if (!(flags & WHOIS_SPAM_ME) &&
-		    len >= sizeof(CHOPSPAM)-1 &&
 		    (strncasecmp(buf, CHOPSPAM, sizeof(CHOPSPAM)-1) == 0 ||
 		     strncasecmp(buf, &CHOPSPAM[4], sizeof(CHOPSPAM)-5) == 0)) {
 			printf("\n");


as len is initialy the length of the line, but then the two go out of
sync, and strncasecmp() is safe to call since buf is always
NUL-terminated?

2024-03-24 20:48 Todd C. Miller:
whois: use getline(3) instead of fgetln(3)
- 2024-03-25 11:15 Omar Polo:
  whois: use getline(3) instead of fgetln(3)
- - 2024-03-25 15:53 Todd C. Miller:
    whois: use getline(3) instead of fgetln(3)