[PATCH] udev fix another buffer overrun

[PATCH] udev fix another buffer overrun

[Michael Buesch]

Hi,

This patch fixes just another possible buffer overrun
caused by the dangerous sprintf().

--- udev-add.c.orig	2004-02-24 21:17:51.000000000 +0100
+++ udev-add.c	2004-02-24 21:22:34.000000000 +0100
@@ -210,9 +210,14 @@
 		info("creating device partition nodes '%s[1-%i]'", filename, dev->partitions);
 		if (!fake) {
 			for (i = 1; i <= dev->partitions; i++) {
-				sprintf(partitionname, "%s%i", filename, i);
-				make_node(partitionname, dev->major,
-					  dev->minor + i, dev->mode, uid, gid);
+				retval = snprintf(partitionname, sizeof(partitionname),
+						  "%s%i", filename, i);
+				if (retval >= sizeof(partitionname)) {
+					dbg("partitionname buffer too small");
+				} else {
+					make_node(partitionname, dev->major,
+						  dev->minor + i, dev->mode, uid, gid);
+				}
 			}
 		}
 	}

--
Regards Michael Buesch  [ http://www.tuxsoft.de.vu ]



-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id\x1356&alloc_id438&op=click
_______________________________________________
Linux-hotplug-devel mailing list  http://linux-hotplug.sourceforge.net
Linux-hotplug-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel

Re: [PATCH] udev fix another buffer overrun

[Kay Sievers]

On Tue, 2004-02-24 at 21:26, Michael Buesch wrote:
> Hi,
> 
> This patch fixes just another possible buffer overrun
> caused by the dangerous sprintf().

The name can only be 100 bytes long and partitionname is 255 long,
so it's really theroretical. But I will look at it in the next round of
string-patches

thanks,
Kay


> --- udev-add.c.orig	2004-02-24 21:17:51.000000000 +0100
> +++ udev-add.c	2004-02-24 21:22:34.000000000 +0100
> @@ -210,9 +210,14 @@
>  		info("creating device partition nodes '%s[1-%i]'", filename, dev->partitions);
>  		if (!fake) {
>  			for (i = 1; i <= dev->partitions; i++) {
> -				sprintf(partitionname, "%s%i", filename, i);
> -				make_node(partitionname, dev->major,
> -					  dev->minor + i, dev->mode, uid, gid);
> +				retval = snprintf(partitionname, sizeof(partitionname),
> +						  "%s%i", filename, i);
> +				if (retval >= sizeof(partitionname)) {
> +					dbg("partitionname buffer too small");
> +				} else {
> +					make_node(partitionname, dev->major,
> +						  dev->minor + i, dev->mode, uid, gid);
> +				}
>  			}
>  		}
>  	}




-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id\x1356&alloc_id438&op=click
_______________________________________________
Linux-hotplug-devel mailing list  http://linux-hotplug.sourceforge.net
Linux-hotplug-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel

Re: [PATCH] udev fix another buffer overrun

[Greg KH]

On Tue, Feb 24, 2004 at 09:26:01PM +0100, Michael Buesch wrote:
> Hi,
> 
> This patch fixes just another possible buffer overrun
> caused by the dangerous sprintf().

This and your other buffer overflow patches are all fixed up with Kay's
patches, right?

thanks,

greg k-h


-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id\x1356&alloc_id438&op=click
_______________________________________________
Linux-hotplug-devel mailing list  http://linux-hotplug.sourceforge.net
Linux-hotplug-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel