[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netbsd-tech-userlevel
Subject:    Passing too long spec string to getfsspecname(3)
From:       Alexander Nasonov <alnsn () yandex ! ru>
Date:       2018-12-26 22:11:15
Message-ID: 20181226221113.vsqmgokb4civilp6 () pinet
[Download RAW message or body]

This code is potentially dangerous:

	vname = malloc(strlen(name) * 4 + 1);
	/* vname == NULL check */
	strunvis(vname, name);

because multiplication by 4 can overflow. It's easy to add a range check
but strunvis(3) manual states that the dst buffer should have the same
length as the src (no expansion).

I'd like to remove the multiplication, if there are no objections.

PS I also spotted a potential wraparound in len = bufsiz - 5; but
I assume that no reasonable person will pass buffer that short.

-- 
Alex
[prev in list] [next in list] [prev in thread] [next in thread]