Re: Buffer Overflow - fvwrite.c and fread.c sources

[Matthias Scheler <tron%zhadum.org.uk@localhost>]

On Wed, Dec 22, 2010 at 11:04:00AM +0530, nikunj badjatya wrote:
> 1.
> fread.c:
>  79    (void)memcpy((void *)p, (void *)fp->_p, (size_t)r);

That call is correct.

> 2.
> I currently investigating on a "possibility" of buffer overflow at these
> places. memcpy can write outside the bounds of allocated memory.

There are a lot of constructs and library function which are part of
the C language that can cause buffer overflows. Every use of a point
variable and every access to an array member can cause such problems.

Why are you concerned about NetBSD's implementation of fread(3) and
fwrite(3)? Is it merely the fact that the source code contains calls
to memcpy(3)? Or is there any actual evidence e.g. a program crash
which makes you suspect that code?

> 3.
> What I mean with knowing the contents of file structure is,
> If I write a sample code, which opens a sample text file ( FILE *fp ),
> performs read/write operation, and finally prints various FILE structure
> members. like fp->_p, _r etc. But when I compile the program it says fp has
> no member named _p, _r . !

Yes, because your program is not supposed to access the internals
of "FILE *". The fact that it cannot do that is a feature, not
a problem.

        Kind regards

-- 
Matthias Scheler                                  http://zhadum.org.uk/