"Serge E. Hallyn" <serue@xxxxxxxxxx> writes:
> Address two reports from an automatic code analyzer:
>
> 1. In logreport, it is possible to write \0 one
> character past the end of buf[].
I am perhaps slower than I usually am today, but it seems to me
that the code caps msglen to (maxlen-1) and then adds that to
buflen.
Now, maxlen is (sizeof(buf)-buflen-1), so that means after
the "buflen += msglen" happens, buflen is at most:
buflen + (sizeof(buf)-buflen-1) - 1
= sizeof(buf) - 2
And then "buf[buflen++] = '\n'; buf[buflen] = '\0'" happens.
'\n' is written at sizeof(buf)-2 (or lower index than that) and
'\0' is written at sizeof(buf)-1 (or lower). I am unsure how it
steps beyond the end...
> 2. In socksetup, socklist can be leaked when returning
> if set_reuse_addr(). Note: dunno why this case returns...
I am not sure why this part returns either. It appears to me
that it should just keep going just like the cases where
bind/listen fails.
-
: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html