buffer overflow in srm_env_write?!
Falk Hueffner
falk at debian.org
Mon Mar 14 19:15:44 UTC 2005
Heid Oliver <oliver.heid at siemens.com> writes:
> here it is.
>
> --- arch/alpha/kernel/srm_env.c~ 2005-03-02 08:37:49.000000000 +0100
> +++ arch/alpha/kernel/srm_env.c 2005-03-14 17:00:48.000000000 +0100
> @@ -152,7 +152,7 @@
> res = -EFAULT;
> if (copy_from_user(buf, buffer, count))
> goto out;
> - buf[count] = '\0';
> + buf[count-1] = '\0';
>
> ret1 = callback_setenv(entry->id, buf, count);
> if ((ret1 >> 61) == 0) {
> ---
That will nuke the kernel if count == 0.
The real solution is not to add a newline if you don't want one to be
added. Use echo -n.
--
Falk
More information about the axp-list
mailing list