summaryrefslogtreecommitdiff
path: root/flash_lock.c
diff options
context:
space:
mode:
authorElie De Brauwer <eliedebrauwer@gmail.com>2013-03-01 19:37:39 +0100
committerArtem Bityutskiy <artem.bityutskiy@linux.intel.com>2013-03-11 10:40:23 +0200
commitca7a5eda221d53aa571836a6186ed117c804d702 (patch)
tree9254d8a667c60e4f3fb87f4f7f8fc29863876e2d /flash_lock.c
parent3ff90433ab22c001215d9a26c65de1b7f448dc79 (diff)
integck.c: Fix buffer overflow in save_file
In the problem above I've spend several hours waiting for the issue to appear, only to had the 'luck' that it was found in a file whose name was 256 bytes in length, resulting in the write to fail. Closer examination showed that the buffer to store the path was 256 bytes in length, but this buffer also includes /tmp and the read/write suffix and should be able to contain a filename which is up to 255 bytes (NAME_MAX in linux/limits.h) in size which is a bad fit. So that array is modified to FILENAME_MAX (stdio_lim.h) and some checking is added to truncate the filename should it cause an overflow. The following log shows the first patch in action (see the correct seed), and shows why this third patch is needed: <quote> integck:     File Data: integck:         Offset: 0  Size: 1  Seed: 5008310  R.Off: 0 integck:     1 writes integck:     ============================================ integck:     Write Info: integck:         Offset: 0  Size: 1  Seed: 5008310  R.Off: 0 integck:         Offset: 0  Size: 1  Seed: 8246352  R.Off: 0 integck:         Offset: 0  Size: 1  Seed: 5078796  R.Off: 0 integck:         Offset: 0  Size: 1  Seed: 2267087  R.Off: 0 integck:         Offset: 0  Size: 1  Seed: 3602680  R.Off: 0 integck:     5 writes or truncations integck:     ============================================ integck: Saving /tmp/yqcnfygfitaatyeyvffrguegcdttamcnyhowhgieljfuxfipiljsjcbluaeaghwyinkggommsbwnmvekihgnwgiibccpbwfrpxuxwkmnyghnutrudienngxwgorudbskedaaekiuiyqksfazrwzfwbfhzjjqoiulebtlpbfiuffmsnguqkjzqjqizimsmhbqqagaebjdhqwmzdxghiavtcxubegawlgtvstuqurkurpnrckjfkgostdtpg.integ.sav.readn integck: error!: condition 'w_fd != -1' failed in save_file() at integck.c:1445 integck: error 36 (File name too long) </quote> Signed-off-by: Elie De Brauwer <eliedebrauwer@gmail.com> Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
Diffstat (limited to 'flash_lock.c')
0 files changed, 0 insertions, 0 deletions