Bug#194637: Buffer overflow (1 byte) in sysdeps/unix/sysv/linux/ttyname_r.c
At Sun, 25 May 2003 14:23:12 +0200 (CEST),
Hunor Csordas wrote:
> In all releases currently present on ftp.debian.org (i.e. 5, 16 and 17),
> glibc-2.3.1/debian/patches/glibc22-ttyname-devfs.dpatch contains the
> following snippet:
>
> + memcpy (buf, prefix, strlen (prefix));
> + buflen -= strlen (prefix) - 1;
> ...
> - memcpy (buf, "/dev/pts/", sizeof ("/dev/pts/"));
> - buflen -= sizeof ("/dev/pts/") - 1;
>
> That is certainly wrong since the value returned by strlen is one less
> than the one returned by sizeof. This doesn't matter in the first line
> since the code which later appends the file name to the directory uses a
> remembered value of the string length, but buflen being 1 more allows
> ttyname_r to use 1 byte more than available as buffer space.
I've put in, thanks.
BTW, did you find it with memory leak detection tool?
Regards,
-- gotom
Reply to: