[prev in list] [next in list] [prev in thread] [next in thread]
List: hurd-bug
Subject: [bug #28446] No checks are made for unteminated strings in RPC messages
From: Kalle Olavi Niemitalo <INVALID.NOREPLY () gnu ! org>
Date: 2016-07-12 9:05:47
Message-ID: 20160712-090545.sv38928.42247 () savannah ! gnu ! org
[Download RAW message or body]
Follow-up Comment #1, bug #28446 (project hurd):
The client-side dir_lookup function generated by MIG calls
__mig_strncpy(InP->file_name, file_name, 1024) to copy the file name to the
request message. If the file name is too long, this silently truncates it and
does not append a null character. So you can also test the server behavior by
trying to open such a file via libc:
rpctrace -E LC_ALL=C -s 2000 cat $(perl -e "print 'a' x 1020")12345
This shows the string in the message ends with "aaa1234".
I think MIG-generated code should return an error instead of truncating the
string. This is less important than fixing the code that examines received
messages, though.
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/bugs/?28446>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic