buffer overflow in srm_env_write?!
Michal Jaegermann
michal at ellpspace.math.ualberta.ca
Mon Mar 14 20:47:09 UTC 2005
On Mon, Mar 14, 2005 at 08:15:44PM +0100, Falk Hueffner wrote:
> Heid Oliver <oliver.heid at siemens.com> writes:
>
> > here it is.
> >
> > --- arch/alpha/kernel/srm_env.c~ 2005-03-02 08:37:49.000000000 +0100
> > +++ arch/alpha/kernel/srm_env.c 2005-03-14 17:00:48.000000000 +0100
> > @@ -152,7 +152,7 @@
> > res = -EFAULT;
> > if (copy_from_user(buf, buffer, count))
> > goto out;
> > - buf[count] = '\0';
> > + buf[count-1] = '\0';
> >
> > ret1 = callback_setenv(entry->id, buf, count);
> > if ((ret1 >> 61) == 0) {
> > ---
>
> That will nuke the kernel if count == 0.
Do we ever really want a traling newline here? If not then
such code in srm_env.c may cause the least surprises:
if (copy_from_user(buf, buffer, count))
goto out;
if (count > 0 && buf[count-1] == '\n')
count -= 1;
buf[count] = '\0';
ret1 = callback_setenv(entry->id, buf, count);
.....
Although then if want that newline you have to do something
like
echo "extra newline
"
which will be not obvious.
Michal
More information about the axp-list
mailing list