Hello,
I have found this advisory on BUGTRAQ about d_path() :
http://online.securityfocus.com/archive/1/264117
I have made the following modifications in the d_path() of
Linux 2.2.20 : d_path() return an empty string when the path is
too large.
--- /usr/src/linux/fs/dcache.c.orig Fri Nov 2 17:39:08 2001
+++ /usr/src/linux/fs/dcache.c Wed Mar 27 23:30:32 2002
@@ -794,8 +794,11 @@
break;
namelen = dentry->d_name.len;
buflen -= namelen + 1;
- if (buflen < 0)
+ if (buflen < 0) {
+ /* FIXME : buffer overflow -> no return */
+ retval = buffer+buflen;
break;
+ }
end -= namelen;
memcpy(end, dentry->d_name.name, namelen);
*--end = '/';
---
I don't know, if it really fixes well the problem, but i tested the
proposed exploit on my patched kernel and getcwd() does return an error.
It is probable that you have already fixed this, in a better way.
Beno?t Timbert
Is it some sort of scheduled maintenance or the mashine is just
down?
...or it is just my ISP?
Petko
From: Petko Manolov <[email protected]>
Date: Wed, 27 Mar 2002 16:42:13 -0800
Is it some sort of scheduled maintenance or the mashine is just
down?
...or it is just my ISP?
Yes, Larry sent an email earlier today to this list explaining what is
happening. It's unfortunate that you did not read it.