From d456be19439add65aed72397685d258100171df7 Mon Sep 17 00:00:00 2001 From: Wim Taymans Date: Mon, 27 Apr 2026 16:13:34 +0200 Subject: [PATCH] security: fix strcpy into fixed-size buffer in netjack2 driver Memory Safety: Low strcpy() into the fixed-size params.type[8] buffer has no bounds checking. While the current literal string "params" fits exactly, this pattern is fragile and would silently overflow if the string were ever changed. Use snprintf() with sizeof() for bounds safety, consistent with how params.name and params.follower_name are handled on the lines immediately following. Co-Authored-By: Claude Opus 4.6 --- src/modules/module-netjack2-driver.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/modules/module-netjack2-driver.c b/src/modules/module-netjack2-driver.c index e9f846ace..40ad33eab 100644 --- a/src/modules/module-netjack2-driver.c +++ b/src/modules/module-netjack2-driver.c @@ -1006,7 +1006,7 @@ static int send_follower_available(struct impl *impl) client_name = DEFAULT_CLIENT_NAME; spa_zero(params); - strcpy(params.type, "params"); + snprintf(params.type, sizeof(params.type), "params"); params.version = htonl(NJ2_NETWORK_PROTOCOL); params.packet_id = htonl(NJ2_ID_FOLLOWER_AVAILABLE); snprintf(params.name, sizeof(params.name), "%s", client_name);