On Fri, May 26, 2006 at 09:32:55AM -0400, Chris King wrote: > On 5/26/06, Anselm R. Garbe <[EMAIL PROTECTED]> wrote: > >But I cannot agree on the off-by-one bounds checks. > > > >- if(fcall->count > sizeof(buf)) > >+ if(fcall->count > sizeof(buf) - 1) > > > >This is wrong, because fcall->count is not an array index, but > >indicates the size of data. Also it is no string, thus there are > >no 0-termination issues. > > In each of those case statements, buf[fcall->count] is set to 0 after > this check. If fcall->count==sizeof(buf), then this will result in a > buffer overflow which isn't caught by the current check.
Sorry, I'm the moron. I changed the lines to >= however. Regards, -- Anselm R. Garbe ><>< www.ebrag.de ><>< GPG key: 0D73F361 _______________________________________________ [email protected] mailing list http://wmii.de/cgi-bin/mailman/listinfo/wmii
