From mboxrd@z Thu Jan  1 00:00:00 1970
From: Ryan Lortie <desrt@desrt.ca>
Date: Sat, 28 Feb 2004 15:22:40 +0000
Subject: potential buffer overflow in udev
Message-Id: <1077981760.18811.3.camel@peloton.desrt.ca>
List-Id: <linux-hotplug.vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: linux-hotplug@vger.kernel.org

I was poking around in the udev code a bit this morning and I came
across this:

void sysbus_send_create(struct udevice *dev, const char *path)
{
        char filename[255];
[...]
        strncpy(filename, udev_root, sizeof(filename));
        strncat(filename, dev->name, sizeof(filename));

There exists a possible buffer overflow condition here.

By the strncat manpage:
The strncat() function is similar, except that only the first n
characters of src are appended to dest.

ie: the size argument corresponds to how many characters you are adding,
not the total size of the resulting string.

Same problem occurs in sysbus_send_remove.

Cheers,
Ryan



-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id56&alloc_id438&op=click
_______________________________________________
Linux-hotplug-devel mailing list  http://linux-hotplug.sourceforge.net
Linux-hotplug-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel