On Thu, Jul 29, 2010 at 03:24:54PM -0700, Xin LI wrote: > On 2010/07/29 05:20, Jilles Tjoelker wrote: > > Note that this code may not be safe if fg->len comes from an untrusted > > user, as fg->len + 1 is 0 if fg->len == SIZE_MAX. This is not the case > > if fg->len is an actual length from strlen() or similar.
> Speaking for this piece of code, I have to say that the modified version > is actually safer (an improvement, as the attacker could not overwrite > arbitrary memory). > If fg->len + 1 == 0, fg->pattern would point to a small area (assuming > normal malloc.conf setting without V) where, for memcpy, it would > overwrite fg->len bytes, while strlcpy() will do nothing. > By the way how can fg->len come from an untrusted party? It's > strlen(pat) which I don't think can ever reach SIZE_MAX without crashing > the program. Right, fg->len comes from a strlen() so adding one to it is safe. My remark was directed at similar code where a length comes from a number supplied by an untrusted user. > I'll dig further for this piece of code anyways. -- Jilles Tjoelker _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"