NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

kern/45633: Improper string handling in cnmagic.c

>Number:         45633
>Category:       kern
>Synopsis:       Improper string handling in cnmagic.c
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Nov 19 12:35:00 +0000 2011
>Originator:     Christian Biere
File: sys/kern/cnmagic.c
Function: cn_set_magic()

1. The code accesses the byte after the NUL byte of "magic".
2. The code assigns cn_magic[i] once from uninitalized memory m[i].

Function: cn_get_magic()

3. The length restriction by the parameter maglen is completely ignored.
4. If cn_magic_set() was called with an empty string "" as parameter, it is 
expanded to "\x27\x02".



Home | Main Index | Thread Index | Old Index