Re: More modutils: It's probably worse.

From: Guest section DW (dwguest@win.tue.nl)
Date: Tue Nov 14 2000 - 05:29:26 EST

Next message: David Schleef: "Re: More modutils: It's probably worse."
Previous message: Helge Hafting: "Re: [PATCH] Re: reliability of linux-vm subsystem"
In reply to: Olaf Kirch: "Re: More modutils: It's probably worse."
Next in thread: Olaf Kirch: "Re: More modutils: It's probably worse."
Reply: Olaf Kirch: "Re: More modutils: It's probably worse."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Nov 14, 2000 at 09:59:22AM +0100, Olaf Kirch wrote:

> PS: The load_nls code tries to check for buffer overflows, but
> gets it wrong:
>
> struct nls_table *nls;
> char buf[40];
>
> if (strlen(charset) > sizeof(buf) - sizeof("nls_"))
> fail;
> sprintf(buf, "nls_%s", charset);
>
> This will accept charset names of up to 35 characters,
> because sizeof("nls_") is 5. This gives you a single NUL byte
> overflow. Whether it's dangerous or not depends on whether your
> compiler reserves stack space for the *nls pointer or not...

Where is the overflow? If charset has 35 characters then
sprintf(buf, "nls_%s", charset);
writes 40 bytes into buf, and that fits.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/

Next message: David Schleef: "Re: More modutils: It's probably worse."
Previous message: Helge Hafting: "Re: [PATCH] Re: reliability of linux-vm subsystem"
In reply to: Olaf Kirch: "Re: More modutils: It's probably worse."
Next in thread: Olaf Kirch: "Re: More modutils: It's probably worse."
Reply: Olaf Kirch: "Re: More modutils: It's probably worse."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Wed Nov 15 2000 - 21:00:25 EST