From: Jan Niehusmann <jan@gondor.com>
To: linux-lvm@msede.com
Cc: Linux-LVM-Bug@ez-darmstadt.telekom.de
Subject: [linux-lvm] [patch] bug in lvm_remove_recursive.c
Date: Fri, 4 Aug 2000 12:00:38 +0200 [thread overview]
Message-ID: <20000804120038.A1069@gondor.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 721 bytes --]
Hello!
I found a malloc size off-by-one bug in lvm_remove_recursive.c.
file_name is allocated with size strlen (dir) + strlen (dir_ent->d_name) + 2,
and then used with sprintf ( file_name, "%s/%s%c", dir, dir_ent->d_name, 0);
As sprintf automatically appends another 0 byte, the allocated memory is one
byte too short.
Normaly this doesn't hurt, but today, after I created a lv with the
relatively long name 'reisertest', I got a segmentation fault in vgscan.
Applying the attached patch cured that.
Please note that I simply increase the malloc size. Now file_name is
terminated by two 0 bytes. It may be better to remove the manually added
0, or to switch to snprintf (snprintf doesn't add a 0 byte, IIRC).
Jan
[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 608 bytes --]
--- 0.8final/tools/lib/lvm_remove_recursive.c Tue Feb 22 03:09:32 2000
+++ 0.8final-changed/tools/lib/lvm_remove_recursive.c Fri Aug 4 11:07:04 2000
@@ -44,7 +44,7 @@
strcmp ( dir_ent->d_name,"..") == 0) continue;
if ( ( file_name = malloc ( strlen (dir) +
strlen (dir_ent->d_name) +
- 2)) == NULL) {
+ 3)) == NULL) {
ret = -LVM_EREMOVE_RECURSIVE_MALLOC;
goto lvm_remove_recursive_end;
}
next reply other threads:[~2000-08-04 10:00 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2000-08-04 10:00 Jan Niehusmann [this message]
2000-08-04 17:32 ` [linux-lvm] [patch] bug in lvm_remove_recursive.c Andreas Dilger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20000804120038.A1069@gondor.com \
--to=jan@gondor.com \
--cc=Linux-LVM-Bug@ez-darmstadt.telekom.de \
--cc=linux-lvm@msede.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.