Re: buffer overflow in t_vis.c

To: Brooks Davis <brooks%freebsd.org@localhost>, tech-userlevel%netbsd.org@localhost
Subject: Re: buffer overflow in t_vis.c
From: Iain Hibbert <plunky%ogmig.net@localhost>
Date: Thu, 13 Apr 2017 07:56:39 +0100 (BST)

On Thu, 13 Apr 2017, Brooks Davis wrote:

> I've found a one byte buffer overflow in t_vis.c.  It's caused by a
> quite reasonable confusion about an undocumented behavior of always add
> a '\0' terminating the dst string in strnunvisx().  This patch fixes the
> test, but I think the behavior is confusing and should be documented in
> addition to the requirement that the buffers by the same length.

I don't think the comment is very clear, can you say where the additional 
\0 comes from? Is it in fact strunvisx() which adds it, or is it because 
the original byte string is not NUL terminated, but the strsvisx() call 
returns a NUL terminated string, and then when you strunvisx() on that, it 
considers that the string terminator is part of the string?

would it be better for the test, to use strnunvisx(), or will that fail 
and return ENOSPC ? (reading the manpage, I'm not sure if it will just set 
errno, rather than fail)

iain

Follow-Ups:
- Re: buffer overflow in t_vis.c
  - From: Brooks Davis

References:
- buffer overflow in t_vis.c
  - From: Brooks Davis

Prev by Date: buffer overflow in t_vis.c
Next by Date: Re: buffer overflow in t_vis.c
Previous by Thread: buffer overflow in t_vis.c
Next by Thread: Re: buffer overflow in t_vis.c
Indexes:

Home | Main Index | Thread Index | Old Index