From 68629e71e617d949b87e9903bd58c5e91de5f08f Mon Sep 17 00:00:00 2001 From: Daniel Markstedt Date: Wed, 6 May 2026 21:45:58 +0200 Subject: [PATCH] CVE-2026-44069: libatalk/util: bound volxlate address formatting Reported-by: @00redbeer Signed-off-by: Daniel Markstedt --- libatalk/util/netatalk_conf.c | 27 +++++++++++++++++++++------ 1 file changed, 21 insertions(+), 6 deletions(-) diff --git a/libatalk/util/netatalk_conf.c b/libatalk/util/netatalk_conf.c index 9b85d256d..58b04945a 100644 --- a/libatalk/util/netatalk_conf.c +++ b/libatalk/util/netatalk_conf.c @@ -518,8 +518,13 @@ static char *volxlate(const AFPObj *obj, if (obj->proto == AFPPROTO_ASP) { ASP asp = obj->handle; - len = sprintf(dest, "%u.%u", ntohs(asp->asp_sat.sat_addr.s_net), - asp->asp_sat.sat_addr.s_node); + len = snprintf(dest, destlen, "%u.%u", ntohs(asp->asp_sat.sat_addr.s_net), + asp->asp_sat.sat_addr.s_node); + + if (len < 0 || (size_t)len >= destlen) { + break; + } + dest += len; destlen -= len; } @@ -528,9 +533,14 @@ static char *volxlate(const AFPObj *obj, if (obj->proto == AFPPROTO_DSI) { DSI *dsi = obj->dsi; - len = sprintf(dest, "%s:%u", - getip_string((struct sockaddr *)&dsi->client), - getip_port((struct sockaddr *)&dsi->client)); + len = snprintf(dest, destlen, "%s:%u", + getip_string((struct sockaddr *)&dsi->client), + getip_port((struct sockaddr *)&dsi->client)); + + if (len < 0 || (size_t)len >= destlen) { + break; + } + dest += len; destlen -= len; } @@ -556,7 +566,12 @@ static char *volxlate(const AFPObj *obj, if (obj->proto == AFPPROTO_ASP) { ASP asp = obj->handle; - len = sprintf(dest, "%u", ntohs(asp->asp_sat.sat_addr.s_net)); + len = snprintf(dest, destlen, "%u", ntohs(asp->asp_sat.sat_addr.s_net)); + + if (len < 0 || (size_t)len >= destlen) { + break; + } + dest += len; destlen -= len; }