Re: [PATCH 1/1] initramfs: strcpy destination string overflow

From: Linus Torvalds
Date: Tue Oct 05 2010 - 11:55:58 EST

Next message: Dmitry Torokhov: "Re: [RESEND] [PATCH] Input: add appleir USB driver"
Previous message: Nicolas Kaiser: "[PATCH] sound/usb/usx2y: simplify conditional"
In reply to: AmÃrico Wang: "Re: [PATCH 1/1] initramfs: strcpy destination string overflow"
Next in thread: H. Peter Anvin: "Re: [PATCH 1/1] initramfs: strcpy destination string overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Oct 5, 2010 at 1:44 AM, Evgeny Kuznetsov
<EXT-Eugeny.Kuznetsov@xxxxxxxxx> wrote:
> From: Evgeny Kuznetsov <ext-eugeny.kuznetsov@xxxxxxxxx>
>
> Function "strcpy()" is used without check for maximum allowed
> source string length and could cause destination string overflow.
> "strcpy()" is replaced by "strlcpy()" to prevent destination
> string overflow.

I think this is wrong.

If the name is too long to fit in the hash table, we should not create
a new hash entry at all, because we'd be returning the wrong
(truncated) name when we find it next time.

So it would be much better to just do

if (strlen(name) >= sizeof(q->name))
return NULL;

in find_link(), because as far as I can tell, the hard-linking is
always just an optimization.

Comments? Peter?

Linus
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Dmitry Torokhov: "Re: [RESEND] [PATCH] Input: add appleir USB driver"
Previous message: Nicolas Kaiser: "[PATCH] sound/usb/usx2y: simplify conditional"
In reply to: AmÃrico Wang: "Re: [PATCH 1/1] initramfs: strcpy destination string overflow"
Next in thread: H. Peter Anvin: "Re: [PATCH 1/1] initramfs: strcpy destination string overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]