Rickard, On Jul 26, 2014, at 2:50 PM, Rickard Strandqvist <rickard_strandqv...@spectrumdigital.se> wrote:
> Replacing strncpy with strlcpy to avoid strings that lacks null terminate. > And use the sizeof on the to string rather than the from string. > > Signed-off-by: Rickard Strandqvist <rickard_strandqv...@spectrumdigital.se> > --- > arch/x86/ia32/ia32_aout.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/arch/x86/ia32/ia32_aout.c b/arch/x86/ia32/ia32_aout.c > index d21ff89..1a5eb43 100644 > --- a/arch/x86/ia32/ia32_aout.c > +++ b/arch/x86/ia32/ia32_aout.c > @@ -156,7 +156,7 @@ static int aout_core_dump(struct coredump_params *cprm) > fs = get_fs(); > set_fs(KERNEL_DS); > has_dumped = 1; > - strncpy(dump.u_comm, current->comm, sizeof(current->comm)); > + strlcpy(dump.u_comm, current->comm, sizeof(dump.u_comm)); > dump.u_ar0 = offsetof(struct user32, regs); > dump.signal = cprm->siginfo->si_signo; > dump_thread32(cprm->regs, &dump); This patch appears to introduce an information leakage as well. The dump structure is on the stack and not cleared, so changing to strlcpy leaves part of the u_comm field holding unintialized data which is then written into the dump. The sizeof in the 3rd argument of the original is really an incorrect reference, as you corrected. A question to consider in this case: is the string in that structure expected to always be null-terminated or not. It is not the case that all such character arrays are expected to be. I don't happen to know in this case. -- Mark Rustad, mrus...@gmail.com
signature.asc
Description: Message signed with OpenPGP using GPGMail