Aren/haiku
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Amended the {user,debug}_strlcpy() fix: Due to the strlcpy() semantics to

Browse Source 
always return the source string length, we can't really prevent an overflow
of the source address.


git-svn-id: file:///srv/svn/repos/haiku/haiku/trunk@33489 a95241bf-73f2-0310-859d-f6bbb57e9c96
This commit is contained in:
Ingo Weinhold 2009-10-09 03:07:11 +00:00
parent 10e3075f26
commit aa6f54aa24
2 changed files with 6 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/system/kernel/debug/debug.cpp
View File

@ -1559,6 +1559,8 @@ debug_strlcpy(char* to, const char* from, size_t size)
// limit size to avoid address overflows
size_t maxSize = std::min(size,
~(addr_t)0 - std::max((addr_t)from, (addr_t)to) + 1);
// NOTE: Since strlcpy() determines the length of \a from, the source
// address might still overflow.
debug_strlcpy_parameters parameters = {to, from, maxSize};
@ -1568,7 +1570,7 @@ debug_strlcpy(char* to, const char* from, size_t size)
}
// If we hit the address overflow boundary, fail.
if (parameters.result == maxSize && maxSize < size)
if (parameters.result >= maxSize && maxSize < size)
return B_BAD_ADDRESS;
return parameters.result;

5
src/system/kernel/vm/vm.cpp
View File

@ -5491,13 +5491,14 @@ user_strlcpy(char* to, const char* from, size_t size)
// limit size to avoid address overflows
size_t maxSize = std::min(size,
~(addr_t)0 - std::max((addr_t)from, (addr_t)to) + 1);
// NOTE: Since arch_cpu_user_strlcpy() determines the length of \a from,
// the source address might still overflow.
ssize_t result = arch_cpu_user_strlcpy(to, from, maxSize,
&thread_get_current_thread()->fault_handler);
// If we hit the address overflow boundary, fail.
if (result >= 0 && (size_t)result == maxSize && maxSize < size)
if (result >= 0 && (size_t)result >= maxSize && maxSize < size)
return B_BAD_ADDRESS;
return result;