From: Neil Brown <neilb@suse.de>
To: Chuck Lever <chuck.lever@oracle.com>
Cc: Fabio Olive Leite <fabio.olive@gmail.com>,
argp-YZAGAMbGdGKGw+nKnLezzg@public.gmane.org,
bugzilla-daemon-590EEB7GvNiWaY/ihj7yzEB+6BGkLq7r@public.gmane.org,
bugme-daemon-590EEB7GvNiWaY/ihj7yzEB+6BGkLq7r@public.gmane.org,
Linux Network Developers <netdev@vger.kernel.org>,
"J. Bruce Fields" <bfields@fieldses.org>,
Trond Myklebust <trond.myklebust@fys.uio.no>,
Andrew Morton <akpm@linux-foundation.org>,
Linux NFS Mailing list <linux-nfs@vger.kernel.org>
Subject: Re: [Bugme-new] [Bug 14546] New: Off-by-two stack buffer overflow in function rpc_uaddr2sockaddr() of net/sunrpc/addr.c
Date: Thu, 12 Nov 2009 16:56:47 +1100 [thread overview]
Message-ID: <19195.41887.250696.801873@notabene.brown> (raw)
In-Reply-To: message from Chuck Lever on Wednesday November 11
On Wednesday November 11, chuck.lever@oracle.com wrote:
> On 2009-11-11 Fabio Olive Leite wrote:
> > On 2009-11-11 Patroklos Argyroudis wrote:
> >> There is no need to increase the size of the buffer since the new
> >> check (if (uaddr_len > sizeof(buf) - 2)) will terminate the function
> >> in case the valid universal address is RPCBIND_MAXUADDRLEN bytes.
> > On a second note, why is '\n' needed there? You should only need
> > '\0', as a '\n'
>
> > at the end is not required by any of the string functions used to
> > convert the
> > address. I believe you could go with buf[RPCBIND_MAXUADDRLEN+1] for
> > the extra NUL only.
>
> AFAICT, strict_strtoul() requires the '\n\0' termination.
if ((*tail == '\0') ||
((len == (size_t)(tail - cp) + 1) && (*tail == '\n'))) {
*res = val;
return 0;
}
allows, not requires. Though admittedly that code isn't as clear as
one might like:
if (tail[0] == 0 || (tail[0] == '\n' && tail[1] == 0) {
.....
}
NeilBrown
next prev parent reply other threads:[~2009-11-12 5:55 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <bug-14546-10286@http.bugzilla.kernel.org/>
[not found] ` <bug-14546-10286-V0hAGp6uBxO456/isadD/XN4h3HLQggn@public.gmane.org/>
2009-11-10 23:29 ` [Bugme-new] [Bug 14546] New: Off-by-two stack buffer overflow in function rpc_uaddr2sockaddr() of net/sunrpc/addr.c Andrew Morton
2009-11-10 23:38 ` Chuck Lever
2009-11-11 7:51 ` Patroklos Argyroudis
2009-11-11 12:11 ` Fabio Olive Leite
2009-11-11 12:34 ` Fabio Olive Leite
2009-11-11 15:53 ` Chuck Lever
2009-11-12 5:56 ` Neil Brown [this message]
2009-11-11 11:02 ` [PATCH] sunrpc: off-by-two stack buffer overflow in function rpc_uaddr2sockaddr() Patroklos Argyroudis
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=19195.41887.250696.801873@notabene.brown \
--to=neilb@suse.de \
--cc=akpm@linux-foundation.org \
--cc=argp-YZAGAMbGdGKGw+nKnLezzg@public.gmane.org \
--cc=bfields@fieldses.org \
--cc=bugme-daemon-590EEB7GvNiWaY/ihj7yzEB+6BGkLq7r@public.gmane.org \
--cc=bugzilla-daemon-590EEB7GvNiWaY/ihj7yzEB+6BGkLq7r@public.gmane.org \
--cc=chuck.lever@oracle.com \
--cc=fabio.olive@gmail.com \
--cc=linux-nfs@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=trond.myklebust@fys.uio.no \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox