From mboxrd@z Thu Jan 1 00:00:00 1970 From: Kay Sievers Date: Sat, 28 Feb 2004 21:09:09 +0000 Subject: Re: potential buffer overflow in udev Message-Id: <1078002549.1193.9.camel@pim> List-Id: References: <1077981760.18811.3.camel@peloton.desrt.ca> In-Reply-To: <1077981760.18811.3.camel@peloton.desrt.ca> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: linux-hotplug@vger.kernel.org On Sat, 2004-02-28 at 16:22, Ryan Lortie wrote: > I was poking around in the udev code a bit this morning and I came > across this: > > void sysbus_send_create(struct udevice *dev, const char *path) > { > char filename[255]; > [...] > strncpy(filename, udev_root, sizeof(filename)); > strncat(filename, dev->name, sizeof(filename)); > > There exists a possible buffer overflow condition here. > > By the strncat manpage: > The strncat() function is similar, except that only the first n > characters of src are appended to dest. > > ie: the size argument corresponds to how many characters you are adding, > not the total size of the resulting string. > > Same problem occurs in sysbus_send_remove. Thanks, but please look at the latest version of udev. It's already fixed two days ago: http://linuxusb.bkbits.net:8080/udev/cset@1.592?nav=index.html|src/|related/udev_dbus.c Kay ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id56&alloc_id438&op=click _______________________________________________ Linux-hotplug-devel mailing list http://linux-hotplug.sourceforge.net Linux-hotplug-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel