lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <alpine.LNX.2.00.1101202353010.11854@swampdragon.chaosbits.net>
Date:	Fri, 21 Jan 2011 00:00:56 +0100 (CET)
From:	Jesper Juhl <jj@...osbits.net>
To:	linux-kernel@...r.kernel.org
cc:	James Morris <jmorris@...ercode.com.au>,
	James Morris <jmorris@...ei.org>,
	"David S. Miller" <davem@...hat.com>,
	David Miller <davem@...emloft.net>,
	Steve French <sfrench@...ibm.com>,
	Steve French <smfrench@...il.com>,
	Andrew Tridgell <tridge@...ba.org>
Subject: [PATCH] Do not potentially overflow string in sumversion

In scripts/mod/sumversion.c (in get_src_version()) we call 
getenv("MODVERDIR"). This returns a pointer to a string of unknown length. 
This string of unknown length we then pass on as an argument to sprintf() 
and tell it to write the result to 'filelist' which has a, very much 
fixed, size of 'PATH_MAX + 1'. If the string returned by getenv() is too 
long we'll overrun the statically allocated buffer.
This patch prevents the buffer overrun by using snprintf() and telling it 
to copy a maximum of 'PATH_MAX + 1' bytes (including the terminating \0).

Signed-off-by: Jesper Juhl <jj@...osbits.net>
---
 sumversion.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

  compile tested only

diff --git a/scripts/mod/sumversion.c b/scripts/mod/sumversion.c
index ecf9c7d..35e9404 100644
--- a/scripts/mod/sumversion.c
+++ b/scripts/mod/sumversion.c
@@ -401,7 +401,7 @@ void get_src_version(const char *modname, char sum[], unsigned sumlen)
 		basename = strrchr(modname, '/') + 1;
 	else
 		basename = modname;
-	sprintf(filelist, "%s/%.*s.mod", modverdir,
+	snprintf(filelist, PATH_MAX + 1, "%s/%.*s.mod", modverdir,
 		(int) strlen(basename) - 2, basename);
 
 	file = grab_file(filelist, &len);


-- 
Jesper Juhl <jj@...osbits.net>            http://www.chaosbits.net/
Don't top-post http://www.catb.org/~esr/jargon/html/T/top-post.html
Plain text mails only, please.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ