* ip_conntrack_standalone / sprintf to buffer
@ 2005-05-24 5:50 Sven Schnelle
0 siblings, 0 replies; only message in thread
From: Sven Schnelle @ 2005-05-24 5:50 UTC (permalink / raw)
To: linux-kernel
[-- Attachment #1: Type: text/plain, Size: 866 bytes --]
Hi,
found the following code snippet in ip_conntrack_standalone.c:145
in function conntrack_iterate():
-------------------000000------8<-----------------------------
newlen = print_conntrack(buffer + *len, hash->ctrack);
printk("len + newlen: %d maxlen: %d\n", *len + newlen, maxlen);
if (*len + newlen > maxlen)
return 1;
else *len += newlen;
-------------000000------------8<-----------------------------
print_conntrack() uses sprintf without length checking. And now i'm
wondering what happens if for example, maxlen=3072 and
len=3071. print_conntrack uses sprintf, writes beyond the end the buffer, and
after this the check (*len + newlen > maxlen) is done. Looks to me like
a bug.
Did i missed something?
Bye,
Sven.
--
"If you can't make it good, at least make it look good." Bill Gates on
the solid code base of Win9X
[-- Attachment #2: Type: application/pgp-signature, Size: 188 bytes --]
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2005-05-25 2:37 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-05-24 5:50 ip_conntrack_standalone / sprintf to buffer Sven Schnelle
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox