[Bug 176154] Possible memory corruption: ioctl overflowed 3rd argument

bugzilla at redhat.com bugzilla at redhat.com
Mon Dec 19 19:25:06 UTC 2005 

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.

Summary: Possible memory corruption: ioctl overflowed 3rd argument


https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=176154


jvdias at redhat.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |CLOSED
         Resolution|                            |NOTABUG




------- Additional Comments From jvdias at redhat.com  2005-12-19 14:24 EST -------
This is probably due to the fix for bugzilla bug 171111, rt.perl.org bug 
#37535, upstream patch #25852 . 

Perl was incorrectly defaulting the ioctl 'length' parameter to 256, and 
making the length of the ioctl third argument at least that number of bytes
long (this caused perl to dump core if the data returned was > 256 bytes).

CDDB_get.pm sets its ioctl third arg to "", and passes NO length argument in
the IOCTL number. 

In perl versions before bug  171111 was fixed, this third argument would have
been defaulted to 256 bytes long - this would be OK as long as the string
returned is less than 256 bytes - otherwise, a perl core would result.

perl has no way of knowing how long the data returned by ioctl will be - it
only knows the length of the ioctl third argument variable, and the length
encoded in the ioctl number.

So, after it makes the ioctl, it checks that a marker placed at the end of
the ioctl third argument variable has not been overwritten - now, in the 
case of CDDB_get, it has been, since the variable has no longer been initialized
to 256 bytes in length .

FIX: initialize the variable in CDDB_get.pm to a reasonable length :
---
--- CDDB_get-2.25/CDDB_get.pm~  2005-06-15 10:55:23.000000000 -0400
+++ CDDB_get-2.25/CDDB_get.pm   2005-12-19 14:22:49.000000000 -0500
@@ -129,7 +129,7 @@

 sub read_toc {
   my $device=shift;
-  my $tochdr="";
+  my $tochdr=chr(0) x 8192;

   sysopen (CD,$device, O_RDONLY | O_NONBLOCK) or die "cannot open cdrom [$!]
[$device]";
   ioctl(CD, $CDROMREADTOCHDR, $tochdr) or die "cannot read toc [$!] [$device]";
---

CDDB_get is not provided in Fedora Core or Fedora Extras - I suggest you raise
this issue with the CDDB_get developer .

-- 
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

More information about the Fedora-perl-devel-list mailing list