[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20090106012759.GA3512@agk.fab.redhat.com>
Date: Tue, 6 Jan 2009 01:27:59 +0000
From: Alasdair G Kergon <agk@...hat.com>
To: Geert Uytterhoeven <geert@...ux-m68k.org>
Cc: Stephen Rothwell <sfr@...b.auug.org.au>,
Milan Broz <mbroz@...hat.com>,
Jaya Kumar <jayakumar.video@...il.com>,
Laurent Pinchart <laurent.pinchart@...net.be>,
Mauro Carvalho Chehab <mchehab@...radead.org>,
Gene Sally <Gene.Sally@...esys.com>,
Sam Ravnborg <sam@...nborg.org>,
Andrew Morton <akpm@...ux-foundation.org>,
linux-next@...r.kernel.org, LKML <linux-kernel@...r.kernel.org>
Subject: Re: strncat() misuse (was: Re: dm_attr_{name,uuid}_show buffer overflow? (was: Re: linux-next: Tree for January 5))
On Mon, Jan 05, 2009 at 11:18:38PM +0100, Geert Uytterhoeven wrote:
> On Mon, 5 Jan 2009, Geert Uytterhoeven wrote:
> > On Mon, 5 Jan 2009, Stephen Rothwell wrote:
> > | strncat(buf, "\n", DM_NAME_LEN);
> > | return strnlen(buf, DM_NAME_LEN);
> > Probably the intention was to limit the string in _buf_ (not the source string
> > "\n") to DM_NAME_LEN? If yes, this may cause a buffer overflow.
Both the 'n's look bogus to me as runtime checks. But I think the code happens
to work correctly - apart from your compilation problem.
buf is always a page and both strings (name and uuid) are NULL-terminated and
the longest possible is 128 chars of uuid plus the "\n" i.e. 130 (except for a
bug I noticed on one code path which we'll fix).
Alasdair
--
agk@...hat.com
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists