Prevent write to write init->argw.argv[SLIRP_MAX_ARGS]
Signed-off-by: Roel Kluin <[email protected]>
---
If i becomes SLIRP_MAX_ARGS - 1 and `*str != ','` evaluates to
true, then we write init->argw.argv[SLIRP_MAX_ARGS].
Can this occur?
diff --git a/arch/um/drivers/slirp_kern.c b/arch/um/drivers/slirp_kern.c
index e376284..39bc9a7 100644
--- a/arch/um/drivers/slirp_kern.c
+++ b/arch/um/drivers/slirp_kern.c
@@ -97,6 +97,9 @@ static int slirp_setup(char *str, char **mac_out, void *data)
*str++ = '\0';
} while (1);
+ if (i == SLIRP_MAX_ARGS)
+ i--;
+
init->argw.argv[i] = NULL;
return 1;
}
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
User-mode-linux-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/user-mode-linux-devel
