Hi,
found the following code snippet in ip_conntrack_standalone.c:145
in function conntrack_iterate():
-------------------000000------8<-----------------------------
newlen = print_conntrack(buffer + *len, hash->ctrack);
printk("len + newlen: %d maxlen: %d\n", *len + newlen, maxlen);
if (*len + newlen > maxlen)
return 1;
else *len += newlen;
-------------000000------------8<-----------------------------
print_conntrack() uses sprintf without length checking. And now i'm
wondering what happens if for example, maxlen=3072 and
len=3071. print_conntrack uses sprintf, writes beyond the end the buffer, and
after this the check (*len + newlen > maxlen) is done. Looks to me like
a bug.
Did i missed something?
Bye,
Sven.
--
"If you can't make it good, at least make it look good." Bill Gates on
the solid code base of Win9X
Attachment:
pgpbfBSTAAq17.pgp
Description: PGP signature
- Prev by Date: RE: RT patch acceptance
- Next by Date: Re: RT patch acceptance
- Previous by thread: Memory leak in 2.6.11.10/2.6.12-rc4?
- Next by thread: CONFIG_HOTPLUG, 2.4.x and ppc
- Index(es):
 |