On Sat, Dec 22, 2012 at 9:32 AM, Tetsuo Handa
<penguin-kernel@xxxxxxxxxxxxxxxxxxx> wrote:
> Casey Schaufler wrote:
>> On 12/20/2012 6:02 AM, Tetsuo Handa wrote:
>> > Several bugfixes for v11 patchset.
>> >
>> > Fixed off-by-one bug in lsm_read().
>>
>> Where is the off-by-one error?
>>
>
> list_for_each_entry(sop, &lsm_hooks[LSM_name], list[LSM_name]) {
> strcat(data, sop->name);
> strcat(data, ","); // <= Here. :-(
> }
>
> If COMPOSER_MAX == 1, COMPOSER_NAMES_MAX is SECURITY_NAME_MAX+1.
> If strlen(sop->name) == SECURITY_NAME_MAX,
> strcat(data, sop->name) writes data[0...COMPOSER_NAMES_MAX] and
> strcat(data, ",") writes data[COMPOSER_NAMES_MAX...COMPOSER_NAMES_MAX+1].
> data[] needs to be one byte larger for writing trailing '\0'.
Seems like seq_read() is a good fit here... Let libraries deal with
it and make it easier if someone one days comes up with a completely
dynamic solution.
-Eric
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
