From mboxrd@z Thu Jan 1 00:00:00 1970 From: Andrey Borzenkov Date: Sat, 05 Sep 2009 19:07:09 +0000 Subject: Re: [PATCH] fix buffer overflow in util_run_program() Message-Id: <200909052307.09815.arvidjaar@mail.ru> MIME-Version: 1 Content-Type: multipart/mixed; boundary="nextPart6883621.tGQFgemZJT" List-Id: References: <20090904195414.GS4363@florz.florz.dyndns.org> In-Reply-To: <20090904195414.GS4363@florz.florz.dyndns.org> To: linux-hotplug@vger.kernel.org --nextPart6883621.tGQFgemZJT Content-Type: Text/Plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable On Saturday 05 of September 2009 22:41:27 Alan Jenkins wrote: > On 9/5/09, Florian Zumbiehl wrote: > > Hi, > > > >> > Now, what am I missing? I obviously do not understand much of > >> > how udev works, but if the code of this function is not somewhat > >> > pointless, then how would there not be a potential buffer > >> > overflow? > >> > > >> > Florian > >> > >> Running "ls -l" (two spaces) should be equivalent to "ls -l" (one > >> space). arg filled with spaces should be more or less equivalent > >> to arg =3D "". If it's not - then that's the real bug. > > > > well, I don't want to get into fixing semantic bugs, as there > > generally doesn't seem to be much of a hint as to what the intended > > semantics are - except that you wonder how the code's semantics > > could actually be intentional. So I would suggest fixing the buffer > > overflow for now, until someone feels like taking care of the > > semantic bug. >=20 > My point was that I don't see any such semantic bug; I can't see > where the overflow would come from. >=20 > As far as I can see, the code uses strsep() which will correctly > interpret a string of spaces as containing no tokens - and return > NULL. >=20 > If I'm right, there's a different semantic bug - the use of strsep() > to find a closing quote, which will fail for strings like >=20 > ' a '' b ' >=20 If this is assumed to be two arguments ' a ' and ' b ', this function=20 works correctly. What is really not possible, is to quote the quote. --nextPart6883621.tGQFgemZJT Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEABECAAYFAkqitt0ACgkQR6LMutpd94zTpwCg0zpSuMQ4NffUDwXDv45hzGWW JAwAnR/miUaNrAqI4kpq86RQtTvLRPTq =1iSs -----END PGP SIGNATURE----- --nextPart6883621.tGQFgemZJT--