[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Q:How can I determine if an if is up in C/C++ only?
- To: mulix <mulix(at-nospam)actcom.co.il>
- Subject: Re: Q:How can I determine if an if is up in C/C++ only?
- From: guy keren <choo(at-nospam)actcom.co.il>
- Date: Fri, 15 Dec 2000 01:58:35 +0200 (EET)
- cc: Gilad Ben-Yossef <gilad(at-nospam)benyossef.com>, <linux-il(at-nospam)linux.org.il>
- Delivered-To: linux.org.il-linux-il@linux.org.il
- In-Reply-To: <3A39430F.EFBA102F@actcom.co.il>
- Sender: linux-il-bounce(at-nospam)cs.huji.ac.il
On Fri, 15 Dec 2000, mulix wrote:
> > strcpy(ifr.ifr_name, argv[1]);
>
> this is broken. ifr.ifr_name is a char array of size IFNAMSIZ (which is
> defined to 16 in net/if.h- not a very long buffer). if the user supplies
> a long enough argv[1], you have your classic buffer overflow here,
> easily overwriting EIP.
i guess gilad just meant for a test program here.
> you want to do
>
> strncpy(ifr.ifr_name, argv[1], IFNAMSIZ-2);
if you fix a broken thing, at list don't break the patch :) use:
strncpy(ifr.ifr_name, argv[1], IFNAMSIZ-1);
the buffer is of size IFNAMSIZ, so you copy that much minus 1 for the null
char.
> ifr.ifr_name[IFNAMSIZ-1] = '\0';
and this is the source of confusion. here the value 'IFNAMSIZ-1' is used
as an index, and previusly it was used as a size.
ofcourse, one may argue that it's better to return a 'string too long'
error then to silenty trim the string. not to mention an aditional check
for argc's value (maybe there was no parameter supplied), etc. etc. etc...
--
guy
"For world domination - press 1,
or dial 0, and please hold, for the creator." -- nob o. dy
=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il