Dear diary, on Thu, Apr 14, 2005 at 02:53:54PM CEST, I got a letter where Ingo Molnar <[EMAIL PROTECTED]> told me that... > > this patch fixes a 1-byte overflow in show-files.c (looks narrow is is > probably not exploitable). A specially crafted db object (tree) might > trigger this overflow. > > 'fullname' is an array of 4096+1 bytes, and we do readdir(), which > produces entries that have strings with a length of 0-255 bytes. With a > long enough 'base', it's possible to construct a tree with a name in it > that has directory whose name ends precisely at offset 4095. At that > point this code: > > case DT_DIR: > memcpy(fullname + baselen + len, "/", 2); > > will attempt to append a "/" string to the directory name - resulting in > a 1-byte overflow (a zero byte is written to offset 4097, which is > outside the array).
The name ends precisely at offset 4095 with its NUL character: {PATH_MAX} Maximum number of bytes in a pathname, including the terminating null character. [ http://www.opengroup.org/onlinepubs/009695399/basedefs/limits.h.html ] So, if I'm not mistaken, '/' will be written at offset 4095 instead of the NUL and the NUL will be written at 4096. Everything's fine, right? -- Petr "Pasky" Baudis Stuff: http://pasky.or.cz/ C++: an octopus made by nailing extra legs onto a dog. -- Steve Taylor - To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html