This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/4344] New: ldconfig off-by-off-by-one alloca for sprintf
- From: "davea42 at earthlink dot net" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sources dot redhat dot com
- Date: 11 Apr 2007 01:54:36 -0000
- Subject: [Bug libc/4344] New: ldconfig off-by-off-by-one alloca for sprintf
- Reply-to: sourceware-bugzilla at sourceware dot org
elf/ldconfig.c has 2 off-by-off-by-one alloca for sprintf.
(still in 1.58 MAIN).
Independent of target/host/build.
For both of the sprintf below, the computation is
strlen() + strlen() +1. But needs +2 as one for / and one for
null terminator.
697 len = strlen (direntry->d_name);
698 /* Skip temporary files created by the prelink program. Files with
699 names like these are never really DSOs we want to look at. */
700 if (len >= sizeof (".#prelink#") - 1)
701 {
702 if (strcmp (direntry->d_name + len - sizeof (".#prelink#") + 1,
703 ".#prelink#") == 0)
704 continue;
705 if (len >= sizeof (".#prelink#.XXXXXX") - 1
706 && memcmp (direntry->d_name + len - sizeof (".#prelink#.XXXXX
X")
707 + 1, ".#prelink#.", sizeof (".#prelink#.") - 1) ==
0)
708 continue;
709 }
710 len += strlen (entry->path);
711 if (len > file_name_len)
712 {
713 file_name_len = len + 1;
714 file_name = alloca (file_name_len);
715 if (!opt_chroot)
716 real_file_name = file_name;
717 }
718 sprintf (file_name, "%s/%s", entry->path, direntry->d_name);
719 if (opt_chroot)
720 {
721 len = strlen (dir_name) + strlen (direntry->d_name);
722 if (len > real_file_name_len)
723 {
724 real_file_name_len = len + 1;
725 real_file_name = alloca (real_file_name_len);
726 }
727 sprintf (real_file_name, "%s/%s", dir_name, direntry->d_name);
728 }
--
Summary: ldconfig off-by-off-by-one alloca for sprintf
Product: glibc
Version: 2.4
Status: NEW
Severity: normal
Priority: P2
Component: libc
AssignedTo: drepper at redhat dot com
ReportedBy: davea42 at earthlink dot net
CC: glibc-bugs at sources dot redhat dot com
http://sourceware.org/bugzilla/show_bug.cgi?id=4344
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.