From 0335cb3e98483511a20f8576f61e6abca5c2a98d Mon Sep 17 00:00:00 2001
From: Jan-Erik Rediger <janerik@fnordig.de>
Date: Wed, 18 Nov 2015 14:36:52 +0100
Subject: Prevent buffer overflow when formatting the error

strncat might copy n+1 bytes (n bytes from the source plus a terminating nul byte).
Also strncat appends after the first found nul byte. But all we pass is
a buffer we might not have zeroed out already.

Closes #380
---
 hiredis.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'hiredis.h')

diff --git a/hiredis.h b/hiredis.h
index fe267b9..53c83ca 100644
--- a/hiredis.h
+++ b/hiredis.h
@@ -98,8 +98,8 @@
          * then GNU strerror_r returned an internal static buffer and we       \
          * need to copy the result into our private buffer. */                 \
         if (err_str != (buf)) {                                                \
-            buf[(len)] = '\0';                                                 \
-            strncat((buf), err_str, ((len) - 1));                              \
+            strncpy((buf), err_str, ((len) - 1));                              \
+            buf[(len)-1] = '\0';                                               \
         }                                                                      \
     } while (0)
 #endif
-- 
cgit v1.2.3