On Thu, Nov 20, 2003 at 01:47:36AM +0100, Arnd Bergmann wrote:
> On Thursday 20 November 2003 13:31, Kay Sievers wrote:
> > +                       for (i=0; i < CALLOUT_MAXARG; i++) {
> > +                               args[i] = strsep(&arg, " ");
> > +                               if (args[i] == NULL)
> > +                                       break;
> > +                       }
> > +                       if (args[i])
> > +                               dbg("to many args");
> 
> This still doesn't look correct: args[i] will be out of bounds
> when the loop has finished on CALLOUT_MAXARG, and the args
> array is not zero terminated when calling execve.
> 
> I haven't tried it yet, but I think this would make more sense:
> 
> +                       for (i=0; i < CALLOUT_MAXARG-1; i++) {
> +                               args[i] = strsep(&arg, " ");
> +                               if (args[i] == NULL)
> +                                       break;
> +                       }
> +			args[i] = arg;
> +                       if (args[i])
> +                               dbg("to many args");

Good catch, but arg is not NULL if MAXARG is reached - so args is still
not terminated :)

Corrected patch attached.

Grüße
Kay