On Thu, Nov 20, 2003 at 03:59:31AM +0100, Arnd Bergmann wrote:
> On Thursday 20 November 2003 17:07, Kay Sievers wrote:
> > On Thu, Nov 20, 2003 at 01:47:36AM +0100, Arnd Bergmann wrote:
> > > This still doesn't look correct: args[i] will be out of bounds
> > > when the loop has finished on CALLOUT_MAXARG, and the args
> > > array is not zero terminated when calling execve.
> >
> > Good catch, but arg is not NULL if MAXARG is reached - so args is still
> > not terminated :)
> 
> > +       char *args[CALLOUT_MAXARG];
> > +       int i;
> ...
> > +                       for (i=0; i < CALLOUT_MAXARG; i++) {
> > +                               args[i] = strsep(&arg, " ");
> > +                               if (args[i] == NULL)
> > +                                       break;
> > +                       }
> > +                       if (args[i]) {
> > +                               dbg("to many args");
> > +                               args[i] = NULL;
> > +                       }
> 
> Ok, it's terminated now, but again out of bounds. It should be
> char *args[CALLOUT_MAXARG+1];
> in the beginning or only loop to (CALLOUT_MAXARG - 1).

Oh, oh, oh...
I hope, I don't send more patches than the number of lines added to the code.
Here is #5 :)

thanks,
Kay