Hi,
Please correct if I'm missing something here:
Both dname and dname2 have the exact same size:
int8_t dname[100];
#ifndef HAVE_DEV_DLPI
int8_t dname2[100];
#endif
dname is set here:
if (*(l->device) == '/')
{
memset(&dname, 0, sizeof(dname));
strncpy(dname, l->device, sizeof(dname) - 1);
dname[sizeof(dname) - 1] = '\0';
}
else
{
sprintf(dname, "%s/%s", DLPI_DEV_PREFIX, l->device);
}
The first part ensures that it is a null terminated string while the second
part does an sprintf() from l->device which to my understanding is indirectly
limited to IF_NAMESIZE which is 16.
In any case, I don't see how dname2 can be overflowed without overflowing
dname first.
Can you please elaborate a bit?
Thanks,
Stefanos
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
