On 5/26/06, Anselm R. Garbe <garbeam_AT_wmii.de> wrote:
> But I cannot agree on the off-by-one bounds checks.
>
> - if(fcall->count > sizeof(buf))
> + if(fcall->count > sizeof(buf) - 1)
>
> This is wrong, because fcall->count is not an array index, but
> indicates the size of data. Also it is no string, thus there are
> no 0-termination issues.
In each of those case statements, buf[fcall->count] is set to 0 after
this check. If fcall->count==sizeof(buf), then this will result in a
buffer overflow which isn't caught by the current check.
- Chris
Received on Fri May 26 2006 - 15:33:31 UTC
This archive was generated by hypermail 2.2.0 : Sun Jul 13 2008 - 16:07:01 UTC