All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] Possible buffer overflow
@ 2006-11-30 17:06 Matthias Koenig
  2006-11-30 19:35 ` Jeff Moyer
  0 siblings, 1 reply; 3+ messages in thread
From: Matthias Koenig @ 2006-11-30 17:06 UTC (permalink / raw)
  To: autofs mailing list

Hi,

There seems to be a possible buffer overflow in modules/mount_afs.c.
strncat(dest, src, n) uses at most n chars from src. n is not the
size of dest. Patch below.

Regards,
Matthias

--- modules/mount_afs.c
+++ modules/mount_afs.c
@@ -36,8 +36,8 @@
 	char dest[PATH_MAX * 2];
 
 	strcpy(dest, root);	/* Convert the name to a mount point. */
-	strncat(dest, "/", sizeof(dest));
-	strncat(dest, name, sizeof(dest));
+	strncat(dest, "/", sizeof(dest)-strlen(dest)-1);
+	strncat(dest, name, sizeof(dest)-strlen(dest)-1);
 
 	/* remove trailing slash (http://bugs.debian.org/141775) */
 	if (dest[strlen(dest)-1] == '/')

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH] Possible buffer overflow
  2006-11-30 17:06 [PATCH] Possible buffer overflow Matthias Koenig
@ 2006-11-30 19:35 ` Jeff Moyer
  2006-12-01  2:01   ` Ian Kent
  0 siblings, 1 reply; 3+ messages in thread
From: Jeff Moyer @ 2006-11-30 19:35 UTC (permalink / raw)
  To: Matthias Koenig; +Cc: autofs mailing list

==> On Thu, 30 Nov 2006 18:06:43 +0100, Matthias Koenig <mkoenig@suse.de> said:

Matthias> Hi,
Matthias> There seems to be a possible buffer overflow in modules/mount_afs.c.
Matthias> strncat(dest, src, n) uses at most n chars from src. n is not the
Matthias> size of dest. Patch below.

The fix seems correct to me.  Have you actually seen a problem in the
wild?  I wonder why the dest string is twice the maximum path length;
that doesn't make a whole lot of sense.  Perhaps we should fix that
while we're in here.

-Jeff

> --- modules/mount_afs.c
> +++ modules/mount_afs.c
> @@ -36,8 +36,8 @@
>  	char dest[PATH_MAX * 2];

>  	strcpy(dest, root);	/* Convert the name to a mount point. */
> -	strncat(dest, "/", sizeof(dest));
> -	strncat(dest, name, sizeof(dest));
> +	strncat(dest, "/", sizeof(dest)-strlen(dest)-1);
> +	strncat(dest, name, sizeof(dest)-strlen(dest)-1);

>  	/* remove trailing slash (http://bugs.debian.org/141775) */
>  	if (dest[strlen(dest)-1] == '/')

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH] Possible buffer overflow
  2006-11-30 19:35 ` Jeff Moyer
@ 2006-12-01  2:01   ` Ian Kent
  0 siblings, 0 replies; 3+ messages in thread
From: Ian Kent @ 2006-12-01  2:01 UTC (permalink / raw)
  To: Jeff Moyer; +Cc: autofs mailing list

On Thu, 2006-11-30 at 14:35 -0500, Jeff Moyer wrote:
> ==> On Thu, 30 Nov 2006 18:06:43 +0100, Matthias Koenig <mkoenig@suse.de> said:
> 
> Matthias> Hi,
> Matthias> There seems to be a possible buffer overflow in modules/mount_afs.c.
> Matthias> strncat(dest, src, n) uses at most n chars from src. n is not the
> Matthias> size of dest. Patch below.
> 
> The fix seems correct to me.  Have you actually seen a problem in the
> wild?  I wonder why the dest string is twice the maximum path length;
> that doesn't make a whole lot of sense.  Perhaps we should fix that
> while we're in here.

Yes, that array does seem to be excessive.
I was thinking that it would be better to calculate the length, check it
and then do the copy.

> 
> -Jeff
> 
> > --- modules/mount_afs.c
> > +++ modules/mount_afs.c
> > @@ -36,8 +36,8 @@
> >  	char dest[PATH_MAX * 2];
> 
> >  	strcpy(dest, root);	/* Convert the name to a mount point. */
> > -	strncat(dest, "/", sizeof(dest));
> > -	strncat(dest, name, sizeof(dest));
> > +	strncat(dest, "/", sizeof(dest)-strlen(dest)-1);
> > +	strncat(dest, name, sizeof(dest)-strlen(dest)-1);
> 
> >  	/* remove trailing slash (http://bugs.debian.org/141775) */
> >  	if (dest[strlen(dest)-1] == '/')
> 
> _______________________________________________
> autofs mailing list
> autofs@linux.kernel.org
> http://linux.kernel.org/mailman/listinfo/autofs

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2006-12-01  2:01 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-11-30 17:06 [PATCH] Possible buffer overflow Matthias Koenig
2006-11-30 19:35 ` Jeff Moyer
2006-12-01  2:01   ` Ian Kent

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.