This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: blow the stack with arbitrarily-extendible VLAs

From: Pierre Habouzit <madcoder at debian dot org>
To: libc-alpha at sourceware dot org
Date: Sat, 5 May 2007 23:41:20 +0200
Subject: Re: blow the stack with arbitrarily-extendible VLAs
References: <873b2bqalv.fsf@rho.meyering.net>

On Sat, May 05, 2007 at 10:27:56PM +0200, Jim Meyering wrote:
> After seeing the recently-fixed user-extendible VLA in vfprintf.c,
> I wondered if there were others.

  FWIW, unlike printf, where the VLA array could had its size changed
because of the end user input (imagine some mod_* in apache that used
printf to display formatted output asking the user for the width of the
formatting... bang a DOS), it's quite unlikely that user input could
impact the size passed to lio_listio (or the other examples you took).

  Oh I don't say it's nice, but I'd say it's way less critical.

-- 
ÂOÂ  Pierre Habouzit
ÂÂO                                                madcoder@debian.org
OOO                                                http://www.madism.org

Attachment: pgp00000.pgp
Description: PGP signature

References:
- blow the stack with arbitrarily-extendible VLAs
  - From: Jim Meyering

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]