Hi, you are right, anyway if you add a variable to the structure
PVBOXNETFLTINS after the array szName, the char buffer szName overflows to the variable declared after. On the hand, if you leave szName as the last member of the structure, and add a variable before it, there is no overflow. Thanks for your attention, Valerio Daelli On Sat, Mar 7, 2015 at 4:41 PM, Alexander Eichner < [email protected]> wrote: > Hi Valerio, > > there is no buffer overflow because of the way the memory containing > VBOXNETFLTINS is allocated. > See the top of VBoxNetFlt.c:vboxNetFltNewInstance(), the allocation takes > the size of the name into account. > > Regards, > Alexander Eichner > > > On 07.03.2015 14:46, Valerio Daelli <[email protected]> wrote: > > > > Hi, > > > > I am working on a patch on the vboxnetflt kernel module on Linux > (3.18.0 kernel). > > While inspecting the code of vboxnetlflt, I found something that looks > to me like a buffer overflow. > > > > VBoxNetFltInternal.h declares the structure VBOXNETFLTINS > > and one of its members is: > > char szName[1]; > > This array is too small to contain the network device name: > > so when there is a copy in VBoxNetFlt.c: > > > > memcpy(pNew->szName, pszName, cchName + 1); > > > > this copy does a buffer overflow of the character array pNew->szName. > > > > Basically you are trying to copy a string like 'eno1' > > or another interface name, into a buffer of chars with length 1. > > Obviously this implies a buffer overflow. > > Thank for your attention, > > > > Valerio Daelli > > > > _______________________________________________ > > vbox-dev mailing list > > [email protected] > > https://www.virtualbox.org/mailman/listinfo/vbox-dev > >
_______________________________________________ vbox-dev mailing list [email protected] https://www.virtualbox.org/mailman/listinfo/vbox-dev
