lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <alpine.DEB.2.00.1010061043550.29582@justus.melware.de> Date: Wed, 6 Oct 2010 10:44:47 +0200 (CEST) From: Armin Schindler <armin@...ware.de> To: Dan Carpenter <error27@...il.com> cc: Karsten Keil <isdn@...ux-pingi.de>, netdev@...r.kernel.org, linux-kernel@...r.kernel.org, kernel-janitors@...r.kernel.org Subject: Re: [patch] eicon: make buffer larger On Wed, 6 Oct 2010, Dan Carpenter wrote: > On Wed, Oct 06, 2010 at 10:21:02AM +0200, Armin Schindler wrote: >> On Wed, 6 Oct 2010, Dan Carpenter wrote: >>> On Wed, Oct 06, 2010 at 09:25:44AM +0200, Armin Schindler wrote: >>>> On Mon, 4 Oct 2010, Dan Carpenter wrote: >>>>> In diva_mnt_add_xdi_adapter() we do this: >>>>> strcpy (clients[id].drvName, tmp); >>>>> strcpy (clients[id].Dbg.drvName, tmp); >>>>> >>>>> The "clients[id].drvName" is a 128 character buffer and >>>>> "clients[id].Dbg.drvName" was originally a 16 character buffer but I've >>>>> changed it to 128 as well. We don't actually use 128 characters but we >>>>> do use more than 16. >>>> >>>> I don't see any reason for that change. The driver names here do not use >>>> more than 16 characters and when filled, the length is checked anyway. >>>> Please avoid changing the size of that structure. >>>> >>> >>> drivers/isdn/hardware/eicon/debug.c diva_mnt_add_xdi_adapter() >>> 874 sprintf (tmp, "ADAPTER:%d SN:%u-%d", >>> 12345678 90123 45 67 >>> >>> That's a minimum 17 characters. >>> >>> 875 (int)logical, >>> 876 serial & 0x00ffffff, >>> 877 (byte)(((serial & 0xff000000) >> 24) + 1)); >>> 878 } else { >>> 879 sprintf (tmp, "ADAPTER:%d SN:%u", (int)logical, serial); >>> 880 } >> >> this is tmp with a bigger size. It seems you are mixing the sizes of >> drvName and tmp. >> > > What I mean is that later on we use strcpy() to copy "tmp" into > "clients[id].Dbg.drvName" > > 927 strcpy (clients[id].drvName, tmp); > 928 strcpy (clients[id].Dbg.drvName, tmp); > ^ > this buffer is only 16 chars Now I understand. You are right. So the fix would be to change these strcpy() to e.g. strncpy() or similar. Armin -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists