On Saturday 04 May 2013 16:10:29 Dmitry V. Levin wrote:
> On Wed, May 01, 2013 at 11:35:30PM -0400, Mike Frysinger wrote:
> > + /* 4*(n-1) + 3 for quotes and NUL */
> > + char vol_name[(UBI_MAX_VOLUME_NAME + 1) * 4];
> > +
> > + if (entering(tcp))
> > + return 0;
> > +
> > + switch (code) {
> > + case UBI_IOCMKVOL:
> > + if (!verbose(tcp) || umove(tcp, arg, &mkvol) < 0)
> > + return 0;
> > +
> > + tprintf(", {vol_id=%" PRIi32 ", alignment=%" PRIi32
> > + ", bytes=%" PRIi64 ", vol_type=", mkvol.vol_id,
> > + mkvol.alignment, (int64_t)mkvol.bytes);
> > + printxval(ubi_volume_types, mkvol.vol_type, "UBI_???_VOLUME");
> > + string_quote(mkvol.name, vol_name, -1, mkvol.name_len);
>
> Because mkvol.name_len is untrusted input, it can exceed
> UBI_MAX_VOLUME_NAME with good chance to overflow vol_name[].
> I suggest adding some kind of
> CLAMP(mkvol.name_len, 0, UBI_MAX_VOLUME_NAME).yeah ... i thought of that when processing UBI_IOCRNVOL.ents, but forgot about the names. i'll post a fix for it. -mike
signature.asc
Description: This is a digitally signed message part.
------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite It's a free troubleshooting tool designed for production Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap2
_______________________________________________ Strace-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/strace-devel
