tech-userlevel archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Passing too long spec string to getfsspecname(3)
This code is potentially dangerous:
vname = malloc(strlen(name) * 4 + 1);
/* vname == NULL check */
strunvis(vname, name);
because multiplication by 4 can overflow. It's easy to add a range check
but strunvis(3) manual states that the dst buffer should have the same
length as the src (no expansion).
I'd like to remove the multiplication, if there are no objections.
PS I also spotted a potential wraparound in len = bufsiz - 5; but
I assume that no reasonable person will pass buffer that short.
--
Alex
Home |
Main Index |
Thread Index |
Old Index