svn commit: r210578 - head/usr.bin/grep
Jilles Tjoelker
jilles at stack.nl
Thu Jul 29 22:55:59 UTC 2010
On Thu, Jul 29, 2010 at 03:24:54PM -0700, Xin LI wrote:
> On 2010/07/29 05:20, Jilles Tjoelker wrote:
> > Note that this code may not be safe if fg->len comes from an untrusted
> > user, as fg->len + 1 is 0 if fg->len == SIZE_MAX. This is not the case
> > if fg->len is an actual length from strlen() or similar.
> Speaking for this piece of code, I have to say that the modified version
> is actually safer (an improvement, as the attacker could not overwrite
> arbitrary memory).
> If fg->len + 1 == 0, fg->pattern would point to a small area (assuming
> normal malloc.conf setting without V) where, for memcpy, it would
> overwrite fg->len bytes, while strlcpy() will do nothing.
> By the way how can fg->len come from an untrusted party? It's
> strlen(pat) which I don't think can ever reach SIZE_MAX without crashing
> the program.
Right, fg->len comes from a strlen() so adding one to it is safe. My
remark was directed at similar code where a length comes from a number
supplied by an untrusted user.
> I'll dig further for this piece of code anyways.
--
Jilles Tjoelker
More information about the svn-src-all
mailing list