lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20060820211456.GA32343@dreamland.darkstar.lan>
Date:	Sun, 20 Aug 2006 23:14:56 +0200
From:	Luca <kronos.it@...il.com>
To:	Julio Auto <mindvortex@...il.com>
Cc:	linux-kernel@...r.kernel.org
Subject: Re: [PATCH] 2.6.17.9 Incorrect string length checking in param_set_copystring()

Julio Auto <mindvortex@...il.com> ha scritto:
> As for 2.6.17.9, linux/include/linux/moduleparam.h suggests the user
> of module_param_string() to set the maxlen parameter to
> strlen(string), ie. '\0' excluded. However the function that actually
> sets the string (param_set_copystring()), doesn't accept inputs with
> maxlen-1 characters, reporting that the supplied string should fit
> maxlen-1 chars.
> See patch below.
> Cheers,
> 
>    Julio Auto
> 
> --- linux-2.6.17.9/kernel/params.c.old  2006-08-19 20:48:30.000000000 -0700
> +++ linux-2.6.17.9/kernel/params.c      2006-08-19 20:49:15.000000000 -0700
> @@ -351,9 +351,9 @@ int param_set_copystring(const char *val
> {
>        struct kparam_string *kps = kp->arg;
> 
> -       if (strlen(val)+1 > kps->maxlen) {
> +       if (strlen(val) > kps->maxlen) {
>                printk(KERN_ERR "%s: string doesn't fit in %u chars.\n",
> -                      kp->name, kps->maxlen-1);
> +                      kp->name, kps->maxlen);
>                return -ENOSPC;
>        }
>        strcpy(kps->string, val);

Hi,
I believe that the code is correct. kps->maxlen is the lenght of the
buffer; when dealing with a string of N chars you need an array of (N +
1) bytes in order to store the terminator ('\0').

Look again at the check:

        if (strlen(val) > kps->maxlen) {

Suppose that val is a string of 10 chars (strlen(val) == 10), suppose
that the buffer holds 10 bytes (kps->maxlen == 10). The expression:

        if (10 > 10) {

is false, so strcpy() ends up writing 11 bytes in a buffer of 10 bytes.

Also, for future patches see point 11 of
Documentation/SubmittingPatches.

Luca
-- 
Home: http://kronoz.cjb.net
"Su cio` di cui non si puo` parlare e` bene tacere".
 Ludwig Wittgenstein
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ