On 9/5/09, Florian Zumbiehl <florz@xxxxxxxx> wrote: > Hi, > >> On Saturday 05 of September 2009 08:25:01 Florian Zumbiehl wrote: >> > Hi, >> > >> > > > diff --git a/libudev/libudev-util-private.c >> > > > b/libudev/libudev-util-private.c index 64203a8..c309945 100644 >> > > > --- a/libudev/libudev-util-private.c >> > > > +++ b/libudev/libudev-util-private.c >> > > > @@ -268,7 +268,7 @@ int util_run_program(struct udev *udev, const >> > > > char *command, char **envp, pid_t pid; >> > > > char arg[UTIL_PATH_SIZE]; >> > > > char program[UTIL_PATH_SIZE]; >> > > > - char *argv[(sizeof(arg) / 2) + 1]; >> > > > + char *argv[sizeof(arg) + 1]; >> > > >> > > Could you give example when this overflows? >> > >> > UTIL_PATH_SIZE-1 spaces. >> > >> >> Please try to understand what code you are fixing does. > > No, of course not. > > Now, what am I missing? I obviously do not understand much of how udev > works, but if the code of this function is not somewhat pointless, then > how would there not be a potential buffer overflow? > > Florian Running "ls -l" (two spaces) should be equivalent to "ls -l" (one space). arg filled with spaces should be more or less equivalent to arg = "". If it's not - then that's the real bug. -- To unsubscribe from this list: send the line "unsubscribe linux-hotplug" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
