On Tue, Jan 20, 2015 at 1:11 PM, Alan <gno...@lxorguk.ukuu.org.uk> wrote: > I can't prove the case pointed out in > https://bugzilla.kernel.org/show_bug.cgi?id=82341 > is correct so let us play safe. > > Signed-off-by: Alan Cox <a...@linux.intel.com> > --- > arch/um/os-Linux/drivers/ethertap_user.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/arch/um/os-Linux/drivers/ethertap_user.c > b/arch/um/os-Linux/drivers/ethertap_user.c > index b39b669..6d49182 100644 > --- a/arch/um/os-Linux/drivers/ethertap_user.c > +++ b/arch/um/os-Linux/drivers/ethertap_user.c > @@ -105,7 +105,7 @@ static int etap_tramp(char *dev, char *gate, int > control_me, > sprintf(data_fd_buf, "%d", data_remote); > sprintf(version_buf, "%d", UML_NET_VERSION);
The two above may also overflow, if the numbers contain more than 5 resp. 6 digits. > if (gate != NULL) { > - strcpy(gate_buf, gate); > + strncpy(gate_buf, gate, 15); Same comment as before: "This will copy at most 15 bytes. If "gate" contains 15 or more characters, gate_buf[] won't be zero-terminated. I think you better use strlcpy(), unless the remaining of the buffer must be filled with zeroes." Gr{oetje,eeting}s, Geert -- Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- ge...@linux-m68k.org In personal conversations with technical people, I call myself a hacker. But when I'm talking to journalists I just say "programmer" or something like that. -- Linus Torvalds -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/