On 5/26/06, Anselm R. Garbe <[EMAIL PROTECTED]> wrote:
But I cannot agree on the off-by-one bounds checks.
- if(fcall->count > sizeof(buf))
+ if(fcall->count > sizeof(buf) - 1)
This is wrong, because fcall->count is not an array index, but
indicates the size of data. Also it is no string, thus there are
no 0-termination issues.
In each of those case statements, buf[fcall->count] is set to 0 after
this check. If fcall->count==sizeof(buf), then this will result in a
buffer overflow which isn't caught by the current check.
- Chris
_______________________________________________
[email protected] mailing list
http://wmii.de/cgi-bin/mailman/listinfo/wmii
