buffer overflow in srm_env_write?!
Heid Oliver
oliver.heid at siemens.com
Mon Mar 14 16:19:56 UTC 2005
here it is.
--- arch/alpha/kernel/srm_env.c~ 2005-03-02 08:37:49.000000000 +0100
+++ arch/alpha/kernel/srm_env.c 2005-03-14 17:00:48.000000000 +0100
@@ -152,7 +152,7 @@
res = -EFAULT;
if (copy_from_user(buf, buffer, count))
goto out;
- buf[count] = '\0';
+ buf[count-1] = '\0';
ret1 = callback_setenv(entry->id, buf, count);
if ((ret1 >> 61) == 0) {
---
-----Original Message-----
From: Balint Cristian [mailto:rezso at rdsor.ro]
Sent: Friday, March 11, 2005 17:36
To: axp-list at redhat.com; rth at redhat.com
Cc: Heid Oliver
Subject: Re: buffer overflow in srm_env_write?!
On Friday 11 March 2005 14:23, Heid Oliver wrote:
> Shouldn't
>
> if (copy_from_user(buf, buffer, count))
> goto out;
> buf[count] = '\0';
>
> ret1 = callback_setenv(entry->id, buf, count);
>
> read
>
> buf[count-1] = '\0';
> ^^^^^^^
>
> in srm_env_write() in srm_env.c?! When I change SRM variables via
> /proc/srm_environment, a trailing linefeed 0x0a is written into the
> variable, which it is not when changing the variable via the SRM graphical
> console itself. The above code change overwrites the linefeed with 0x0.
can post a patch for this ?
It is a bug, srm env through proc is really unusable,
evry time when i do echo "1" > /proc/.../boot_osflags it doesn't work only
if i re-set it in real SRM bios.
>
> Oliver
>
> _______________________________________________
> axp-list mailing list
> axp-list at redhat.com
> https://www.redhat.com/mailman/listinfo/axp-list
>
_______________________________________________
axp-list mailing list
axp-list at redhat.com
https://www.redhat.com/mailman/listinfo/axp-list
More information about the axp-list
mailing list