From mboxrd@z Thu Jan 1 00:00:00 1970 From: Sergey Vlasov Date: Thu, 01 Feb 2007 19:09:00 +0000 Subject: Re: [PATCH 2/3] udev_rules_apply_format(): don't overflow the buffer Message-Id: <20070201190900.GC6381@procyon.home> MIME-Version: 1 Content-Type: multipart/mixed; boundary="===============0575385233==" List-Id: References: <1170342384945-git-send-email-vsu@altlinux.ru> In-Reply-To: <1170342384945-git-send-email-vsu@altlinux.ru> To: linux-hotplug@vger.kernel.org --===============0575385233== Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="NKoe5XOeduwbEQHU" Content-Disposition: inline --NKoe5XOeduwbEQHU Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Feb 01, 2007 at 06:18:16PM +0100, Kay Sievers wrote: > On 2/1/07, Sergey Vlasov wrote: > >When truncating the substitution string to the length specified in the > >format string, head[len] =3D '\0' could write outside the buffer if that > >length was too large. > > > >Signed-off-by: Sergey Vlasov > >--- > > udev_rules.c | 2 +- > > 1 files changed, 1 insertions(+), 1 deletions(-) > > > >diff --git a/udev_rules.c b/udev_rules.c > >index 44b41e9..90a83e5 100644 > >--- a/udev_rules.c > >+++ b/udev_rules.c > >@@ -558,7 +558,7 @@ found: > > break; > > } > > /* possibly truncate to format-char specified length */ > >- if (len !=3D -1) { > >+ if (len >=3D 0 && (size_t)len < maxsize - (head-string))= { >=20 > Yeah, that should be fixed. Wouldn't: > if (len >=3D 0 && len <=3D strlen(head)) > also catch strings which fit in the buffer, but are shorter than the > specified limit? Yes, this should work properly too (or even "&& len < strlen(head)" to skip writing '\0' over itself). Working in constant time is probably not an issue here, given the number of strlcat() calls around. --NKoe5XOeduwbEQHU Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFFwjrMW82GfkQfsqIRAj/kAJ9ZLhvFFn6cMIpyGlUkBu03iwvqqwCdHKAL PBHqQNN2pVxJ0b4X5oc5ubI= =1jGZ -----END PGP SIGNATURE----- --NKoe5XOeduwbEQHU-- --===============0575385233== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 --===============0575385233== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Linux-hotplug-devel mailing list http://linux-hotplug.sourceforge.net Linux-hotplug-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel --===============0575385233==--