* [uml-devel] [PATCH] uml: Read buffer overflow
@ 2009-08-11 20:44 Roel Kluin
0 siblings, 0 replies; only message in thread
From: Roel Kluin @ 2009-08-11 20:44 UTC (permalink / raw)
To: Jeff Dike, user-mode-linux-devel, Andrew Morton
Prevent write to write init->argw.argv[SLIRP_MAX_ARGS]
Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
---
If i becomes SLIRP_MAX_ARGS - 1 and `*str != ','` evaluates to
true, then we write init->argw.argv[SLIRP_MAX_ARGS].
Can this occur?
diff --git a/arch/um/drivers/slirp_kern.c b/arch/um/drivers/slirp_kern.c
index e376284..39bc9a7 100644
--- a/arch/um/drivers/slirp_kern.c
+++ b/arch/um/drivers/slirp_kern.c
@@ -97,6 +97,9 @@ static int slirp_setup(char *str, char **mac_out, void *data)
*str++ = '\0';
} while (1);
+ if (i == SLIRP_MAX_ARGS)
+ i--;
+
init->argw.argv[i] = NULL;
return 1;
}
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
User-mode-linux-devel mailing list
User-mode-linux-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/user-mode-linux-devel
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2009-08-11 20:40 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-08-11 20:44 [uml-devel] [PATCH] uml: Read buffer overflow Roel Kluin
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.