diff options
| author | Elie De Brauwer <eliedebrauwer@gmail.com> | 2013-03-01 19:37:39 +0100 | 
|---|---|---|
| committer | Artem Bityutskiy <artem.bityutskiy@linux.intel.com> | 2013-03-11 10:40:23 +0200 | 
| commit | ca7a5eda221d53aa571836a6186ed117c804d702 (patch) | |
| tree | 9254d8a667c60e4f3fb87f4f7f8fc29863876e2d /ubi-utils/include | |
| parent | 3ff90433ab22c001215d9a26c65de1b7f448dc79 (diff) | |
integck.c: Fix buffer overflow in save_file
In the problem above I've spend several hours waiting for the issue to 
appear, only to had the 'luck' that it was found in a file whose name was
256 bytes in length, resulting in the write to fail. Closer examination 
showed that the buffer to store the path was 256 bytes in length, but this
buffer also includes /tmp and the read/write suffix and should be able to
contain a filename which is up to 255 bytes (NAME_MAX in linux/limits.h)
in size which is a bad fit. So that array is modified to FILENAME_MAX
(stdio_lim.h) and some checking is added to truncate the filename should
it cause an overflow.
The following log shows the first patch in action (see the correct seed), 
and shows why this third patch is needed:
<quote>
integck:     File Data:
integck:         Offset: 0  Size: 1  Seed: 5008310  R.Off: 0
integck:     1 writes
integck:     ============================================
integck:     Write Info:
integck:         Offset: 0  Size: 1  Seed: 5008310  R.Off: 0
integck:         Offset: 0  Size: 1  Seed: 8246352  R.Off: 0
integck:         Offset: 0  Size: 1  Seed: 5078796  R.Off: 0
integck:         Offset: 0  Size: 1  Seed: 2267087  R.Off: 0
integck:         Offset: 0  Size: 1  Seed: 3602680  R.Off: 0
integck:     5 writes or truncations
integck:     ============================================
integck: Saving /tmp/yqcnfygfitaatyeyvffrguegcdttamcnyhowhgieljfuxfipiljsjcbluaeaghwyinkggommsbwnmvekihgnwgiibccpbwfrpxuxwkmnyghnutrudienngxwgorudbskedaaekiuiyqksfazrwzfwbfhzjjqoiulebtlpbfiuffmsnguqkjzqjqizimsmhbqqagaebjdhqwmzdxghiavtcxubegawlgtvstuqurkurpnrckjfkgostdtpg.integ.sav.readn
integck: error!: condition 'w_fd != -1' failed in save_file() at integck.c:1445
integck: error 36 (File name too long)
</quote>
Signed-off-by: Elie De Brauwer <eliedebrauwer@gmail.com>
Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
Diffstat (limited to 'ubi-utils/include')
0 files changed, 0 insertions, 0 deletions
