Hi Valerio, there is no buffer overflow because of the way the memory containing VBOXNETFLTINS is allocated. See the top of VBoxNetFlt.c:vboxNetFltNewInstance(), the allocation takes the size of the name into account.
Regards, Alexander Eichner > On 07.03.2015 14:46, Valerio Daelli <[email protected]> wrote: > > Hi, > > I am working on a patch on the vboxnetflt kernel module on Linux (3.18.0 > kernel). > While inspecting the code of vboxnetlflt, I found something that looks to me > like a buffer overflow. > > VBoxNetFltInternal.h declares the structure VBOXNETFLTINS > and one of its members is: > char szName[1]; > This array is too small to contain the network device name: > so when there is a copy in VBoxNetFlt.c: > > memcpy(pNew->szName, pszName, cchName + 1); > > this copy does a buffer overflow of the character array pNew->szName. > > Basically you are trying to copy a string like 'eno1' > or another interface name, into a buffer of chars with length 1. > Obviously this implies a buffer overflow. > Thank for your attention, > > Valerio Daelli > > _______________________________________________ > vbox-dev mailing list > [email protected] > https://www.virtualbox.org/mailman/listinfo/vbox-dev _______________________________________________ vbox-dev mailing list [email protected] https://www.virtualbox.org/mailman/listinfo/vbox-dev
