2000-11-14 10:59:48

by Guest section DW

[permalink] [raw]
Subject: Re: More modutils: It's probably worse.

On Tue, Nov 14, 2000 at 09:59:22AM +0100, Olaf Kirch wrote:

> PS: The load_nls code tries to check for buffer overflows, but
> gets it wrong:
> struct nls_table *nls;
> char buf[40];
> if (strlen(charset) > sizeof(buf) - sizeof("nls_"))
> fail;
> sprintf(buf, "nls_%s", charset);
> This will accept charset names of up to 35 characters,
> because sizeof("nls_") is 5. This gives you a single NUL byte
> overflow. Whether it's dangerous or not depends on whether your
> compiler reserves stack space for the *nls pointer or not...

Where is the overflow? If charset has 35 characters then
sprintf(buf, "nls_%s", charset);
writes 40 bytes into buf, and that fits.