On Fri, May 26, 2006 at 09:32:55AM -0400, Chris King wrote:
> On 5/26/06, Anselm R. Garbe <garbeam_AT_wmii.de> wrote:
> >But I cannot agree on the off-by-one bounds checks.
> >
> >- if(fcall->count > sizeof(buf))
> >+ if(fcall->count > sizeof(buf) - 1)
> >
> >This is wrong, because fcall->count is not an array index, but
> >indicates the size of data. Also it is no string, thus there are
> >no 0-termination issues.
>
> In each of those case statements, buf[fcall->count] is set to 0 after
> this check. If fcall->count==sizeof(buf), then this will result in a
> buffer overflow which isn't caught by the current check.
Sorry, I'm the moron. I changed the lines to >= however.
Regards,
-- Anselm R. Garbe ><>< www.ebrag.de ><>< GPG key: 0D73F361Received on Fri May 26 2006 - 15:43:20 UTC
This archive was generated by hypermail 2.2.0 : Sun Jul 13 2008 - 16:07:01 UTC