Reporter: [EMAIL PROTECTED] Summary: Possible buffer overflow when loading image Version: grub 0.93 Type: software bug
Message: In stage2/boot.c, load_image() we determine the data_len and then try to populate the already read data from "buffer" into "linux_data_tmp_addr". If the "data_len" is between (8192-512) and (8192) bytes we will memmove bytes from beyond the end of "buffer". --- boot.c 2003-03-11 23:43:25.000000000 -0800 +++ /tmp/boot.c2 2003-03-11 23:53:06.000000000 -0800 @@ -375,7 +375,7 @@ /* It is possible that DATA_LEN is greater than MULTIBOOT_SEARCH, so the data may have been read partially. */ - if (data_len <= MULTIBOOT_SEARCH) + if ((data_len + SECTOR_SIZE) <= MULTIBOOT_SEARCH) grub_memmove (linux_data_tmp_addr, buffer, data_len + SECTOR_SIZE); else ---- Please send followups to <[EMAIL PROTECTED]>. _______________________________________________ Bug-grub mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/bug-grub