On Tue, Nov 14, 2000 at 09:59:22AM +0100, Olaf Kirch wrote:
> PS: The load_nls code tries to check for buffer overflows, but
> gets it wrong:
>
> struct nls_table *nls;
> char buf[40];
>
> if (strlen(charset) > sizeof(buf) - sizeof("nls_"))
> fail;
> sprintf(buf, "nls_%s", charset);
>
> This will accept charset names of up to 35 characters,
> because sizeof("nls_") is 5. This gives you a single NUL byte
> overflow. Whether it's dangerous or not depends on whether your
> compiler reserves stack space for the *nls pointer or not...
Where is the overflow? If charset has 35 characters then
sprintf(buf, "nls_%s", charset);
writes 40 bytes into buf, and that fits.