Buffer overflow in disklabel
Sebastian Ssmoller
sebastian.ssmoller at web.de
Sun Apr 20 01:15:46 PDT 2003
Hi,
I attached a patch for that problem. Can someone have a look at it?
But one thing is still unclear to me: Why do we need 8k buffer for the
disk name?
seb
Am Son, 2003-04-20 um 05.23 schrieb Kris Kennaway:
> Run the following under /bin/sh (not tcsh, which - still! - has a bug
> that causes the command to hang tcsh):
>
> # disklabel `perl -e 'print "a"x51200'`
> Segmentation fault (core dumped)
>
> The responsible code is:
>
> dkname = argv[0];
> if (dkname[0] != '/') {
> (void)sprintf(np, "%s%s%c", _PATH_DEV, dkname, 'a' + RAW_PART);
> specname = np;
> np += strlen(specname) + 1;
> } else
> specname = dkname;
> f = open(specname, op == READ ? O_RDONLY : O_RDWR);
> if (f < 0 && errno == ENOENT && dkname[0] != '/') {
> (void)sprintf(specname, "%s%s", _PATH_DEV, dkname);
> np = namebuf + strlen(specname) + 1;
> f = open(specname, op == READ ? O_RDONLY : O_RDWR);
> }
>
> i.e. overflowing an 8k buffer. Does anyone feel like fixing it?
>
> Kris
More information about the freebsd-audit
mailing list