buffer overflow in srm_env_write?!

Michal Jaegermann michal at ellpspace.math.ualberta.ca
Mon Mar 14 20:47:09 UTC 2005


On Mon, Mar 14, 2005 at 08:15:44PM +0100, Falk Hueffner wrote:
> Heid Oliver <oliver.heid at siemens.com> writes:
> 
> > here it is.
> >
> > --- arch/alpha/kernel/srm_env.c~	2005-03-02 08:37:49.000000000 +0100
> > +++ arch/alpha/kernel/srm_env.c	2005-03-14 17:00:48.000000000 +0100
> > @@ -152,7 +152,7 @@
> >  	res = -EFAULT;
> >  	if (copy_from_user(buf, buffer, count))
> >  		goto out;
> > -	buf[count] = '\0';
> > +	buf[count-1] = '\0';
> >  
> >  	ret1 = callback_setenv(entry->id, buf, count);
> >  	if ((ret1 >> 61) == 0) {
> > ---
> 
> That will nuke the kernel if count == 0.

Do we ever really want a traling newline here?  If not then
such code in srm_env.c may cause the least surprises:

  if (copy_from_user(buf, buffer, count))
  	goto out;
  if (count > 0 && buf[count-1] == '\n')
        count -= 1;
  buf[count] = '\0';

  ret1 = callback_setenv(entry->id, buf, count);
  .....

Although then if want that newline you have to do something
like

echo "extra newline
"

which will be not obvious.

    Michal




More information about the axp-list mailing list