| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20160111141605.GC2644@codeblueprint.co.uk> Date: Mon, 11 Jan 2016 14:16:05 +0000 From: Matt Fleming <matt@...eblueprint.co.uk> To: "Luck, Tony" <tony.luck@...el.com> Cc: Insu Yun <wuninsu@...il.com>, "linux-efi@...r.kernel.org" <linux-efi@...r.kernel.org>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, "taesoo@...ech.edu" <taesoo@...ech.edu>, "yeongjin.jang@...ech.edu" <yeongjin.jang@...ech.edu>, "insu@...ech.edu" <insu@...ech.edu>, "changwoo@...ech.edu" <changwoo@...ech.edu> Subject: Re: [PATCH] efi: fix out-of-bounds null overwrite vulnerability On Fri, 08 Jan, at 04:47:17PM, Luck, Tony wrote: > > But this function doesn't use snprintf(), it uses scnprintf() which > > returns the number of characters written into buf and, because > > scnprintf() largely follows vnsprintf(), it will never write more than > > 'size' bytes into the buffer. > > if (bank && device) > n = snprintf(msg, len, "DIMM location: %s %s ", bank, device); > > That looks like "snprintf", not "scnprintf" to me :-) Oops! Can you believe I looked at the wrong function? > What about using: > > msg[len] = '\0'; > > to guarantee NUL termination? But that may leave garbage bytes in 'rcd_decode_str' in the case where the string isn't as long as 'len'. How about memset()'ing the buffer to zero and deleting the NUL termination line?
Powered by blists - more mailing lists