(2.4.0-test11, but probably every version)
The name member of the net_device struct is fixed to IFNAMSIZ (16) bytes,
and is accessed using strcpy, strcmp and friends all over the place, which
suggests that the last byte of the name must be a null character. This
must be verified when the name is set. I haven't looked very hard, but
this seems not to be the case.
It is, to my knowledge, not possible for a normal user to create/name a
device, so only root can cause the corruption. Bad enough, but not
catastrophic.
As I see it, one (or both) of the following must be done:
1. Find all places where the device name is set and use length checking
functions such as strncpy.
2. Find all places where a device name is used, and use special methods to
copy and add a null character, or use strncpy, strncmp, etc.
...where number one is probably the only realistic solution.
I discovered this when I tried to create a tunnel using more than
IFNAMSIZ-1 (15) characters. It's quite hard to remove that tunnel. I'll go
for the Windows solution and reboot. Sigh!
Btw, does anyone know of a C function that works like strncpy, but does
add a terminating null character, event if the string does not fit, ro
does one have to do str[5]=0 first, and then strncpy(str,src,4)?
/Tobias
In article <[email protected]> you wrote:
> Btw, does anyone know of a C function that works like strncpy, but does
> add a terminating null character, event if the string does not fit, ro
> does one have to do str[5]=0 first, and then strncpy(str,src,4)?
strlcpy.
Check 'http://www.FreeBSD.org/cgi/man.cgi?query=strlcpy&apropos=0&sektion=0&
manpath=OpenBSD+2.6&format=html' for details.
Originally for OpenBSD, most UNICES (NetBSD, FreeBSD, Solaris,
UnixWare, OpenServer) have it in libc now.
Glibc is missing it because my patch did not get accepted.
If there is interest in having this in the kernel I could come up with a patch.
Christoph
--
Always remember that you are unique. Just like everyone else.
>>>>> "Tobias" == Tobias Ringstrom <[email protected]> writes:
Tobias> Btw, does anyone know of a C function that works like strncpy, but does
Tobias> add a terminating null character, event if the string does not fit, ro
Tobias> does one have to do str[5]=0 first, and then strncpy(str,src,4)?
str[0]=0;
strncat(str, src, 4);
Works as you want.
] Train travel features AC outlets with no take-off restrictions|gigabit is no[
] Michael Richardson, Solidum Systems Oh where, oh where has|problem with[
] [email protected] http://www.solidum.com the little fishy gone?|PAX.port 1100[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [