| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20141114223417.GA2180@sli.dy.fi>
Date: Sat, 15 Nov 2014 00:34:18 +0200
From: Sami Liedes <sami.liedes@....fi>
To: linux-ext4@...r.kernel.org
Cc: tytso@....edu
Subject: [PATCH] libblkid: avoid 1-byte stack overflow with long partition
names
The code in probe_all() parses device names from /proc/partitions into
a char[128] buffer using sscanf() %128[...] format specifier.
If the device name is at least 128 bytes long, scanf() will store
those 128 bytes plus the null byte, overflowing the buffer by a single
byte. Fix by making the buffers 129 bytes long.
Signed-off-by: Sami Liedes <sami.liedes@....fi>
---
lib/blkid/devname.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/blkid/devname.c b/lib/blkid/devname.c
index 3e2efa9..58baa29 100644
--- a/lib/blkid/devname.c
+++ b/lib/blkid/devname.c
@@ -394,7 +394,7 @@ static int probe_all(blkid_cache cache, int only_if_new)
{
FILE *proc;
char line[1024];
- char ptname0[128], ptname1[128], *ptname = 0;
+ char ptname0[129], ptname1[129], *ptname = 0;
char *ptnames[2];
dev_t devs[2];
int ma, mi;
--
2.1.3
--
To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists