diff options
| author | kay.sievers@vrfy.org <kay.sievers@vrfy.org> | 2004-01-28 19:00:51 -0800 |
|---|---|---|
| committer | Greg KH <gregkh@suse.de> | 2005-04-26 21:13:20 -0700 |
| commit | 8a08e4b1906eef5d5cb585b125612cce8d565e5c (patch) | |
| tree | ef577b437aa6c98efd7b2795ff271553cb49f8d2 /udev.8 | |
| parent | bc59f0167a03be2d2e4cf8a680dda8444243c64f (diff) | |
[PATCH] fix possible buffer overflow
On Tue, Jan 27, 2004 at 11:02:25AM -0800, Greg KH wrote:
> On Mon, Jan 26, 2004 at 07:28:03PM -0500, Adrian Drzewiecki wrote:
> > Looking over the code, I noticed something odd in
> > namedev.c:strcmp_pattern() --
> >
> > while (*p && (*p != ']'))
> > p ++;
> > return strcmp_pattern(p+1, s+1);
> >
> > If the pattern string is invalid, and is not terminated by a ']', then 'p'
> > will point at \0 and p+1 will be beyond the string.
>
> Yes, I think you are correct.
>
> Hm, Kay, any idea of the proper way to fix this? I've attached a patch
> below, but I don't think it is correct.
>
> while (*p && (*p != ']'))
> p++;
> - return strcmp_pattern(p+1, s+1);
> + if (*p)
> + return strcmp_pattern(p+1, s+1);
> + else
> + return 1;
> }
> }
Sure, it's perfectly correct. I'm wondering how Adrian found this.
We can use the return 1 at the end of the whole function, and asking
for the closing ']' is more descriptive, but it does the same.
- return strcmp_pattern(p+1, s+1);
+ if (*p == ']')
+ return strcmp_pattern(p+1, s+1);
Patch is attached, that also replaces all the *s with s[0].
Diffstat (limited to 'udev.8')
0 files changed, 0 insertions, 0 deletions