This is the mail archive of the gdb-prs@sourceware.org mailing list for the GDB project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

gdb/2315: buffer overflow in monitor code

From: moritz at jodeit dot org
To: gdb-gnats at sources dot redhat dot com
Date: 11 Sep 2007 16:31:18 -0000
Subject: gdb/2315: buffer overflow in monitor code
Reply-to: moritz at jodeit dot org

>Number:         2315
>Category:       gdb
>Synopsis:       buffer overflow in monitor code
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    unassigned
>State:          open
>Class:          patch
>Submitter-Id:   net
>Arrival-Date:   Tue Sep 11 16:38:01 UTC 2007
>Closed-Date:
>Last-Modified:
>Originator:     Moritz Jodeit
>Release:        cvs -current
>Organization:
>Environment:

>Description:
Streight forward buffer overflow is possible in the monitor code, because the sscanf(3) format string does not specify a maximum length.
>How-To-Repeat:

>Fix:
Index: monitor.c
===================================================================
RCS file: /cvs/src/src/gdb/monitor.c,v
retrieving revision 1.74
diff -u -p -r1.74 monitor.c
--- monitor.c   23 Aug 2007 18:08:36 -0000      1.74
+++ monitor.c   11 Sep 2007 16:26:59 -0000
@@ -2109,7 +2109,7 @@ monitor_load (char *file, int from_tty)
       char buf[128];
 
       /* enable user to specify address for downloading as 2nd arg to load */
-      n = sscanf (file, "%s 0x%lx", buf, &load_offset);
+      n = sscanf (file, "%127s 0x%lx", buf, &load_offset);
       if (n > 1)
        file = buf;
       else
>Release-Note:
>Audit-Trail:
>Unformatted:

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]