summaryrefslogtreecommitdiff
path: root/etc
diff options
context:
space:
mode:
authorkay.sievers@vrfy.org <kay.sievers@vrfy.org>2004-01-28 19:00:51 -0800
committerGreg KH <gregkh@suse.de>2005-04-26 21:13:20 -0700
commit8a08e4b1906eef5d5cb585b125612cce8d565e5c (patch)
treeef577b437aa6c98efd7b2795ff271553cb49f8d2 /etc
parentbc59f0167a03be2d2e4cf8a680dda8444243c64f (diff)
[PATCH] fix possible buffer overflow
On Tue, Jan 27, 2004 at 11:02:25AM -0800, Greg KH wrote: > On Mon, Jan 26, 2004 at 07:28:03PM -0500, Adrian Drzewiecki wrote: > > Looking over the code, I noticed something odd in > > namedev.c:strcmp_pattern() -- > > > > while (*p && (*p != ']')) > > p ++; > > return strcmp_pattern(p+1, s+1); > > > > If the pattern string is invalid, and is not terminated by a ']', then 'p' > > will point at \0 and p+1 will be beyond the string. > > Yes, I think you are correct. > > Hm, Kay, any idea of the proper way to fix this? I've attached a patch > below, but I don't think it is correct. > > while (*p && (*p != ']')) > p++; > - return strcmp_pattern(p+1, s+1); > + if (*p) > + return strcmp_pattern(p+1, s+1); > + else > + return 1; > } > } Sure, it's perfectly correct. I'm wondering how Adrian found this. We can use the return 1 at the end of the whole function, and asking for the closing ']' is more descriptive, but it does the same. - return strcmp_pattern(p+1, s+1); + if (*p == ']') + return strcmp_pattern(p+1, s+1); Patch is attached, that also replaces all the *s with s[0].
Diffstat (limited to 'etc')
0 files changed, 0 insertions, 0 deletions