Le 06/10/2013 01:09, Kenneth R Westerback a écrit :
> On Sat, Oct 05, 2013 at 03:22:36PM -0600, Todd C. Miller wrote:
>> On Wed, 28 Aug 2013 22:34:26 -0400, Kenneth R Westerback wrote:
>>
>>>> @@ -552,11 +552,16 @@ ELFNAME2(exec,makecmds)(struct proc *p,
>>>>
>>>> for (i = 0, pp = ph; i < eh->e_phnum; i++, pp++) {
>>>> if (pp->p_type == PT_INTERP && !interp) {
>>>> - if (pp->p_filesz >= MAXPATHLEN)
>>>> + if (pp->p_filesz < 2 || pp->p_filesz >= MAXPATHLEN)
>>>
>>> Still think you're depriving yourself of one character out by using
>>> ">=" instead of ">".
>>
>> I'm not sure about this. We want to limit the path length to
>> MAXPATHLEN-1 since we include the NUL terminator in MAXPATHLEN.
>> The buffer we get from namei_pool is MAXPATHLEN long and the
>> read_from() function just calls vn_rdwr(). If we allow interp to
>> be MAXPATHLEN, is there any guarantee that it will end in a NUL
>> byte?
>>
>> - todd
since get_pool() is not given PR_ZERO, interp won't be zeroed. So even
with the '>=', there's no guarantee that it will end in a NUL byte.
p_filesz includes the last '\0'; there's no problem with changing '>='
to '>'.
>
> My reading at the time convinced me that p_filesz also includes the NUL. So
> using >= left room for two NULs.
>
> But I am not trying to hold up either version, since I don't really
> understand the relevant code. :-)
>
> .... Ken
>
