#6227 closed defect (fixed)
Buffer overflow potential in netcdf driver
Reported by: | Kurt Schwehr | Owned by: | warmerdam |
---|---|---|---|
Priority: | normal | Milestone: | 1.11.4 |
Component: | GDAL_Raster | Version: | unspecified |
Severity: | normal | Keywords: | netcdf |
Cc: |
Description (last modified by )
https://www.unidata.ucar.edu/software/netcdf/docs/netcdf-c/nc_005finq_005fvar.html - note the "declare your array to be size NC_MAX_NAME+1" part
Usage int nc_inq_var (int ncid, int varid, char *name, nc_type *xtypep, int *ndimsp, int dimids[], int *nattsp); int nc_inq_varname (int ncid, int varid, char *name); int nc_inq_vartype (int ncid, int varid, nc_type *xtypep); int nc_inq_varndims (int ncid, int varid, int *ndimsp); int nc_inq_vardimid (int ncid, int varid, int dimids[]); int nc_inq_varnatts (int ncid, int varid, int *nattsp); ncid NetCDF ID, from a previous call to nc_open or nc_create. varid Variable ID. name Returned variable name. The caller must allocate space for the returned name. The maximum possible length, in characters, of a variable name is given by the predefined constant NC_MAX_NAME. (This doesn't include the null terminator, so declare your array to be size NC_MAX_NAME+1). The returned character array will be null-terminated.
e.g.
CPLErr netCDFRasterBand::CreateBandMetadata( int *paDimIds ) { netCDFDataset *poDS = reinterpret_cast<netCDFDataset *>( this->poDS ); /* -------------------------------------------------------------------- */ /* Compute all dimensions from Band number and save in Metadata */ /* -------------------------------------------------------------------- */ char szVarName[NC_MAX_NAME]; nc_inq_varname( cdfid, nZId, szVarName );
Change History (4)
comment:1 by , 8 years ago
Description: | modified (diff) |
---|
comment:2 by , 8 years ago
Component: | default → GDAL_Raster |
---|---|
Keywords: | netcdf added |
Milestone: | → 1.11.4 |
Resolution: | → fixed |
Status: | new → closed |
comment:3 by , 8 years ago
branches/1.11 r31850, branches/2.0 r31851 -m "netCDF: add another byte for szMetaName buffer in netCDFDataset::ReadAttributes() (#6227)"
Note:
See TracTickets
for help on using tickets.
Good catch
trunk r31815 "netCDF: fix potential buffer overflows with uses of nc_inq_varname(), nc_inq_attname() and nc_get_att_text() (identified by Kurt Schwehr, #6227), and also remove most occurences of strcpy, strcat, sprintf to replace them with snprintf; reduce stack requirements by removing uses of NCDF_MAX_STR_LEN"
branches/2.0 r31816, branches/1.11 r31817 "netCDF: fix potential buffer overflows with uses of nc_inq_varname(), nc_inq_attname() and nc_get_att_text() (identified by Kurt Schwehr, #6227)"