[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#392669: /usr/sbin/sshd: off-by-one error in function 'xmmap'

Hi Justin,

On Fri, Oct 13, 2006 at 07:01:51PM -0400, Justin Pryzby wrote:
> >     #define MM_SWAP_TEMPLATE "/var/run/sshd.mm.XXXXXXXX"
> >         if (address == (void *)MAP_FAILED) {
> >                 char tmpname[sizeof(MM_SWAP_TEMPLATE)] = MM_SWAP_TEMPLATE;
> >                 int tmpfd;
> >                 mode_t old_umask;
> >
> >                 old_umask = umask(0177);
> >                 tmpfd = mkstemp(tmpname);
> >
> > The array 'tmpname' has enough space to contain the string
> > MM_SWAP_TEMPLATE, but not the terminating '\0' byte.  Therefore
> > 'mkstemp' is called with an unterminated string.
> In a test, a string constant has sizeof(s)==1+strlen(s); this happens for
> a character constant, too.  I'm assuming that gcc implements the behavior
> required by relevant standards.

Sorry, I can't quite follow you here.  Is your claim that

    char tmpname[sizeof(MM_SWAP_TEMPLATE)] = MM_SWAP_TEMPLATE;

will make 'tmpname' long enough to contain the trailing '\0'?  This is
not true.  And what do you mean by "relevant standards"?

The problem, reduced to a simpler form, is shown in the following

    voss@burmah [~] cat t.c
    #include <stdio.h>
      char string[4]="1234";
      return 0;
    voss@burmah [~] gcc t.c
    voss@burmah [~] ./a.out

Clearly 'string' was not terminated there.  Why do you think that the
original issue is different?

All the best,

Attachment: signature.asc
Description: Digital signature

Reply to: