Bug#194637: Buffer overflow (1 byte) in sysdeps/unix/sysv/linux/ttyname_r.c

To: Hunor Csordas <hunor@cs.elte.hu>, 194637@bugs.debian.org
Subject: Bug#194637: Buffer overflow (1 byte) in sysdeps/unix/sysv/linux/ttyname_r.c
From: GOTO Masanori <gotom@debian.or.jp>
Date: Sat, 30 Aug 2003 00:05:08 +0900
Message-id: <[🔎] 8065kgqzbv.wl@oris.opensource.jp>
Reply-to: GOTO Masanori <gotom@debian.or.jp>, 194637@bugs.debian.org
In-reply-to: <Pine.LNX.4.44.0305251354390.22844-100000@neumann.cs.elte.hu>
References: <Pine.LNX.4.44.0305251354390.22844-100000@neumann.cs.elte.hu>

At Sun, 25 May 2003 14:23:12 +0200 (CEST),
Hunor Csordas wrote:
> In all releases currently present on ftp.debian.org (i.e. 5, 16 and 17),
> glibc-2.3.1/debian/patches/glibc22-ttyname-devfs.dpatch contains the
> following snippet:
> 
> +  memcpy (buf, prefix, strlen (prefix));
> +  buflen -= strlen (prefix) - 1;
> ...
> -  memcpy (buf, "/dev/pts/", sizeof ("/dev/pts/"));
> -  buflen -= sizeof ("/dev/pts/") - 1;
> 
> That is certainly wrong since the value returned by strlen is one less
> than the one returned by sizeof. This doesn't matter in the first line
> since the code which later appends the file name to the directory uses a
> remembered value of the string length, but buflen being 1 more allows
> ttyname_r to use 1 byte more than available as buffer space.

I've put in, thanks.

BTW, did you find it with memory leak detection tool?

Regards,
-- gotom

Reply to:

Prev by Date: Bug#204691: libc6: stacksize is too small
Next by Date: Bug#205679: undefined symbol: STANDARD_ERR_HANDLER
Previous by thread: Processed: Re: Bug#207658: ruby: File.utime() always sets atime and mtime to epoch on testing/unstable, it works ok on testing.
Next by thread: Bug#204789: recent commit
Index(es):
- Date
- Thread