From mboxrd@z Thu Jan 1 00:00:00 1970 From: Johannes Erdfelt Date: Tue, 17 Feb 2004 19:22:21 +0000 Subject: Re: [PATCH] symlink name and possible overflow in create_node() Message-Id: <20040217192221.GR16632@sventech.com> List-Id: References: <20040217190010.GA9773@suse.de> In-Reply-To: <20040217190010.GA9773@suse.de> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: linux-hotplug@vger.kernel.org On Tue, Feb 17, 2004, Olaf Hering wrote: > the filename array might overflow if I interpret the strncat man page correctly. > > --- ./udev-add.c~ 2004-02-16 22:58:24.000000000 +0100 > +++ ./udev-add.c 2004-02-17 19:56:56.000000000 +0100 > @@ -146,7 +146,7 @@ static int create_node(struct udevice *d > int tail; > > strncpy(filename, udev_root, sizeof(filename)); > - strncat(filename, dev->name, sizeof(filename)); > + strncat(filename, dev->name, sizeof(filename) - strlen(filename)); > > switch (dev->type) { > case 'b': strncpy/strncat don't null terminate strings if it hits the maximum size. Looks like all of those calls need some code explicitly null terminate the strings as well. strncpy(filename, udev_root, sizeof(filename)); filename[sizeof(filename) - 1] = 0; strncat(filename, dev->name, sizeof(filename) - strlen(filename)); filename[sizeof(filename) - 1] = 0; Otherwise, it could cause strange behaviour when the strings are actually used. JE ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id56&alloc_id438&op=click _______________________________________________ Linux-hotplug-devel mailing list http://linux-hotplug.sourceforge.net Linux-hotplug-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel