This is the mail archive of the
gdb-patches@sourceware.org
mailing list for the GDB project.
Re: array overflow in gdb/*-stub.c
- From: Daniel Jacobowitz <drow at false dot org>
- To: a_kunysz at yahoo dot com
- Cc: gdb-patches at sources dot redhat dot com
- Date: Thu, 30 Mar 2006 11:44:13 -0500
- Subject: Re: array overflow in gdb/*-stub.c
- References: <20060227205109.GA2547@ms804.montefiore.ulg.ac.be>
On Mon, Feb 27, 2006 at 09:51:09PM +0100, Adrien Kunysz wrote:
> Hello,
> Looks like there is a one byte overflow in most
> gdb/*-stub.c:getpacket().
> The "while (count < BUFMAX)" may be exited when count == BUFMAX.
> Which mean "buffer[count] = 0" may overflow the array. Of course
> if count reaches BUFMAX there is probably a problem anyway and
> I don't see any way this overflow could be exploited by an attacker.
> But it's still a bug.
>
> The obvious fix is to change the while condition to "count < BUFMAX - 1".
Thanks; this patch is obviously correct. Amusingly, there's comments
in remote.c saying that "most stubs" have this problem, but no one
bothered to fix the ones we shipped...
These stubs aren't very useful at all, I suspect, but I'm sure people
still use them as examples.
I touched up the ChangeLog entry and checked in the patch.
--
Daniel Jacobowitz
CodeSourcery