On Sat, Sep 5, 2009 at 12:50, Alan Jenkins <sourcejedi.lkml@xxxxxxxxxxxxxx> wrote: > On 9/5/09, Florian Zumbiehl <florz@xxxxxxxx> wrote: >>> On Saturday 05 of September 2009 08:25:01 Florian Zumbiehl wrote: >>> > > > diff --git a/libudev/libudev-util-private.c >>> > > > b/libudev/libudev-util-private.c index 64203a8..c309945 100644 >>> > > > --- a/libudev/libudev-util-private.c >>> > > > +++ b/libudev/libudev-util-private.c >>> > > > @@ -268,7 +268,7 @@ int util_run_program(struct udev *udev, const >>> > > > char *command, char **envp, pid_t pid; >>> > > > char arg[UTIL_PATH_SIZE]; >>> > > > char program[UTIL_PATH_SIZE]; >>> > > > - char *argv[(sizeof(arg) / 2) + 1]; >>> > > > + char *argv[sizeof(arg) + 1]; >>> > > >>> > > Could you give example when this overflows? >>> > >>> > UTIL_PATH_SIZE-1 spaces. >>> > >>> >>> Please try to understand what code you are fixing does. >> >> No, of course not. >> >> Now, what am I missing? I obviously do not understand much of how udev >> works, but if the code of this function is not somewhat pointless, then >> how would there not be a potential buffer overflow? > > Running "ls -l" (two spaces) should be equivalent to "ls -l" (one > space). arg filled with spaces should be more or less equivalent to > arg = "". If it's not - then that's the real bug. Changed it to skip multiple consecutive spaces. Thanks, Kay -- To unsubscribe from this list: send the line "unsubscribe linux-hotplug" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
