Re: [boinc_dev] Buffer overflow in dir_size() function / ticket #1108

Wed, 11 May 2011 08:15:18 -0700 

If you do a dir /s from a command line, what happens?

jm7


                                                                           
             <[email protected]>                                               
             Sent by:                                                      
             <boinc_dev-bounce                                          To 
             [email protected]         <[email protected]>        
             u>                                                         cc 
                                                                           
                                                                   Subject 
             05/11/2011 10:50          [boinc_dev] Buffer overflow in      
             AM                        dir_size() function / ticket #1108  
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           




Hi all,

I was told by the friendly forum moderators that it's probably best if I
post my findings here so it reaches the right people.

I was experiencing a crash in boinc that, judging by the stack trace,
looks quite like the one in http://boinc.berkeley.edu/trac/ticket/1108.

I dug around a bit with gdb and found that the problem in in the
dir_size() function in  lib/filesys.cpp is which is rather naive:
it blindly follows symlinks and also assumes that any subpath it encounters

fits in 255 bytes. The yoyo@home project has recently started to provide
their muon subproject also on linux hosts, with the help of wine. Now
there is a .wine configuration directory in my boinc directory that
contains e.g. this symlink:

     lrwxrwxrwx 1 boinc boinc 14 May 11
12:22 /var/lib/boinc/.wine/dosdevices/c:/users/boinc/My Documents ->
/var/lib/boinc

This is essentially causes an endless recursion in dir_size, that is
quickly ended ;) by overflowing the 256 bytes of the buffer.

After removing the .wine directory boinc is running fine again, and I
think I can change the WINEPREFIX for boinc in the startup scripts (or
just disable muon) as a workaround, but I hope the above infos can help
in reproducing/ fixing the issue in a future boinc version.

Speaking of versions: I'm using boinc 6.10.58 on gentoo-linux (amd64).


Regards,
Andy
--
Lubarsky's Law of Cybernetic Entomology:
             There's always one more bug.
(See attached file: att62pfb.dat)
_______________________________________________
boinc_dev mailing list
[email protected]
http://lists.ssl.berkeley.edu/mailman/listinfo/boinc_dev
To unsubscribe, visit the above URL and
(near bottom of page) enter your email address.

Attachment: att62pfb.dat
Description: Binary data

_______________________________________________
boinc_dev mailing list
[email protected]
http://lists.ssl.berkeley.edu/mailman/listinfo/boinc_dev
To unsubscribe, visit the above URL and
(near bottom of page) enter your email address.

Reply via email to