Passing too long spec string to getfsspecname(3)

To: tech-userlevel%NetBSD.org@localhost
Subject: Passing too long spec string to getfsspecname(3)
From: Alexander Nasonov <alnsn%yandex.ru@localhost>
Date: Wed, 26 Dec 2018 22:11:15 +0000

This code is potentially dangerous:

	vname = malloc(strlen(name) * 4 + 1);
	/* vname == NULL check */
	strunvis(vname, name);

because multiplication by 4 can overflow. It's easy to add a range check
but strunvis(3) manual states that the dst buffer should have the same
length as the src (no expansion).

I'd like to remove the multiplication, if there are no objections.

PS I also spotted a potential wraparound in len = bufsiz - 5; but
I assume that no reasonable person will pass buffer that short.

-- 
Alex

Prev by Date: Re: deleting telnet/telnetd
Next by Date: Lua shared object asymmetry loading Xlib.
Previous by Thread: deleting telnet/telnetd
Next by Thread: Lua shared object asymmetry loading Xlib.
Indexes:

Home | Main Index | Thread Index | Old Index