On Thursday 20 November 2003 17:07, Kay Sievers wrote:> On Thu, Nov 20, 2003 at 01:47:36AM +0100, Arnd Bergmann wrote:> > This still doesn't look correct: args[i] will be out of bounds> > when the loop has finished on CALLOUT_MAXARG, and the args> > array is not zero terminated when calling execve.>> Good catch, but arg is not NULL if MAXARG is reached - so args is still> not terminated :)
> +       char *args[CALLOUT_MAXARG];> +       int i;...> +                       for (i=0; i < CALLOUT_MAXARG; i++) {> +                               args[i] = strsep(&arg, " ");> +                               if (args[i] = NULL)> +                                       break;> +                       }> +                       if (args[i]) {> +                               dbg("to many args");> +                               args[i] = NULL;> +                       }
Ok, it's terminated now, but again out of bounds. It should bechar *args[CALLOUT_MAXARG+1];in the beginning or only loop to (CALLOUT_MAXARG - 1).
	Arnd <><ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÓ†+ù޵隊X¬²š'²ŠÞu¼ÿH_çzÑ¢½æÚrCë¢Ú›ðèzĨº·Šà{ùÞ¶¥§*.m騭êk¡Ûœ¶+Þü:²+azZr¢ç+y«^mëmz·(uïÒDLq9QÿjwazZn²¥¥ƒ”ü)brAÞ­ïá¶Úÿÿû(º·~Šà{ùÞ·÷h�«^ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ.)îÇøh¶™nƒ÷^½éfj)bž	b²Øm¶ŸÿþX§»á¢Úeºì¢êÜyú+�ïçzÒâžìÿ†‹i–èÿuëÞ—ùb²Ûÿ²‹«qçè®ÿ�ëa¶ÚlÿÿåŠËlþÊ.­ÇŸ¢¸þw­þX¬¶ÏåŠËb�ú?–)îÇøh¶™nƒ÷^