This is the mail archive of the gdb-patches@sourceware.org mailing list for the GDB project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: array overflow in gdb/*-stub.c

From: Daniel Jacobowitz <drow at false dot org>
To: a_kunysz at yahoo dot com
Cc: gdb-patches at sources dot redhat dot com
Date: Thu, 30 Mar 2006 11:44:13 -0500
Subject: Re: array overflow in gdb/*-stub.c
References: <20060227205109.GA2547@ms804.montefiore.ulg.ac.be>

On Mon, Feb 27, 2006 at 09:51:09PM +0100, Adrien Kunysz wrote:
> Hello,
> Looks like there is a one byte overflow in most
> gdb/*-stub.c:getpacket().
> The "while (count < BUFMAX)" may be exited when count == BUFMAX.
> Which mean "buffer[count] = 0" may overflow the array. Of course
> if count reaches BUFMAX there is probably a problem anyway and
> I don't see any way this overflow could be exploited by an attacker.
> But it's still a bug.
> 
> The obvious fix is to change the while condition to "count < BUFMAX - 1".

Thanks; this patch is obviously correct.  Amusingly, there's comments
in remote.c saying that "most stubs" have this problem, but no one
bothered to fix the ones we shipped...

These stubs aren't very useful at all, I suspect, but I'm sure people
still use them as examples.

I touched up the ChangeLog entry and checked in the patch.

-- 
Daniel Jacobowitz
CodeSourcery

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]