buffer overflow in srm_env_write?!
Balint Cristian
rezso at rdsor.ro
Fri Mar 11 16:35:52 UTC 2005
On Friday 11 March 2005 14:23, Heid Oliver wrote:
> Shouldn't
>
> if (copy_from_user(buf, buffer, count))
> goto out;
> buf[count] = '\0';
>
> ret1 = callback_setenv(entry->id, buf, count);
>
> read
>
> buf[count-1] = '\0';
> ^^^^^^^
>
> in srm_env_write() in srm_env.c?! When I change SRM variables via
> /proc/srm_environment, a trailing linefeed 0x0a is written into the
> variable, which it is not when changing the variable via the SRM graphical
> console itself. The above code change overwrites the linefeed with 0x0.
can post a patch for this ?
It is a bug, srm env through proc is really unusable,
evry time when i do echo "1" > /proc/.../boot_osflags it doesn't work only
if i re-set it in real SRM bios.
>
> Oliver
>
> _______________________________________________
> axp-list mailing list
> axp-list at redhat.com
> https://www.redhat.com/mailman/listinfo/axp-list
>
More information about the axp-list
mailing list