* potential buffer overflow in udev
@ 2004-02-28 15:22 Ryan Lortie
2004-02-28 21:09 ` Kay Sievers
0 siblings, 1 reply; 2+ messages in thread
From: Ryan Lortie @ 2004-02-28 15:22 UTC (permalink / raw)
To: linux-hotplug
I was poking around in the udev code a bit this morning and I came
across this:
void sysbus_send_create(struct udevice *dev, const char *path)
{
char filename[255];
[...]
strncpy(filename, udev_root, sizeof(filename));
strncat(filename, dev->name, sizeof(filename));
There exists a possible buffer overflow condition here.
By the strncat manpage:
The strncat() function is similar, except that only the first n
characters of src are appended to dest.
ie: the size argument corresponds to how many characters you are adding,
not the total size of the resulting string.
Same problem occurs in sysbus_send_remove.
Cheers,
Ryan
-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id\x1356&alloc_id438&op=click
_______________________________________________
Linux-hotplug-devel mailing list http://linux-hotplug.sourceforge.net
Linux-hotplug-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: potential buffer overflow in udev
2004-02-28 15:22 potential buffer overflow in udev Ryan Lortie
@ 2004-02-28 21:09 ` Kay Sievers
0 siblings, 0 replies; 2+ messages in thread
From: Kay Sievers @ 2004-02-28 21:09 UTC (permalink / raw)
To: linux-hotplug
On Sat, 2004-02-28 at 16:22, Ryan Lortie wrote:
> I was poking around in the udev code a bit this morning and I came
> across this:
>
> void sysbus_send_create(struct udevice *dev, const char *path)
> {
> char filename[255];
> [...]
> strncpy(filename, udev_root, sizeof(filename));
> strncat(filename, dev->name, sizeof(filename));
>
> There exists a possible buffer overflow condition here.
>
> By the strncat manpage:
> The strncat() function is similar, except that only the first n
> characters of src are appended to dest.
>
> ie: the size argument corresponds to how many characters you are adding,
> not the total size of the resulting string.
>
> Same problem occurs in sysbus_send_remove.
Thanks, but please look at the latest version of udev.
It's already fixed two days ago:
http://linuxusb.bkbits.net:8080/udev/cset@1.592?nav=index.html|src/|related/udev_dbus.c
Kay
-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id\x1356&alloc_id438&op=click
_______________________________________________
Linux-hotplug-devel mailing list http://linux-hotplug.sourceforge.net
Linux-hotplug-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2004-02-28 21:09 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-02-28 15:22 potential buffer overflow in udev Ryan Lortie
2004-02-28 21:09 ` Kay Sievers
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).