| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <063D6719AE5E284EB5DD2968C1650D6D0F6F14A1@AcuExch.aculab.com> Date: Tue, 8 Apr 2014 09:34:09 +0000 From: David Laight <David.Laight@...LAB.COM> To: 'Dan Carpenter' <dan.carpenter@...cle.com>, Karsten Keil <isdn@...ux-pingi.de> CC: "David S. Miller" <davem@...emloft.net>, YOSHIFUJI Hideaki / ???? <yoshfuji@...ux-ipv6.org>, "netdev@...r.kernel.org" <netdev@...r.kernel.org>, "kernel-janitors@...r.kernel.org" <kernel-janitors@...r.kernel.org> Subject: RE: [patch] isdnloop: several buffer overflows From: Dan Carpenter > There are three buffer overflows addressed in this patch. ... > 2) In isdnloop_parse_cmd(), p points to a 6 characters into a 60 > character buffer so we have 54 characters. The ->eazlist[] is 11 > characters long. I have modified the code to return if the source > buffer is too long. ... > @@ -903,6 +903,8 @@ isdnloop_parse_cmd(isdnloop_card *card) > case 7: > /* 0x;EAZ */ > p += 3; > + if (strlen(p) >= sizeof(card->eazlist[0])) > + break; > strcpy(card->eazlist[ch - 1], p); > break; > case 8: If you've done the strlen() you might as well use memcpy(). There are also functions that will do a bounded strlen(), (eg memchr()). David -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists