Subject: Re: bin/34658: [dM] identd truncates queries to first segment
To: None <peter@NetBSD.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org,>
From: Christian Biere <christianbiere@gmx.de>
List: netbsd-bugs
Date: 09/29/2006 16:15:05
The following reply was made to PR bin/34658; it has been noted by GNATS.
From: Christian Biere <christianbiere@gmx.de>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: bin/34658: [dM] identd truncates queries to first segment
Date: Fri, 29 Sep 2006 18:11:56 +0200
der Mouse wrote:
> >> + if ((n = recv(fd, &buf[qlen], sizeof(buf)-qlen, 0)) < 0) {
>
> > This looks like asking for a buffer overflow to me. There's no
> > protection that prevents qlen to exceed "sizeof buf".
>
> For that to happen, recv() would have to return a value greater than
> its third argument.
No, "sizeof(buf)-qlen" becomes negative but the 3rd argument of
recv() has type size_t which means it is promoted to a huge unsigned
integer value.
> + while (1) {
> + if (qlen >= sizeof(buf)) {
> + /* buf filled - ridiculously large query */
The buffer is only 4 KiB large, it doesn't take much too let it
overflow.
--
Christian