[Bug 2608] New: Signed overflow in openbsd-compat/strlcpy.c

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Wed Aug 24 13:58:41 AEST 2016


https://bugzilla.mindrot.org/show_bug.cgi?id=2608

            Bug ID: 2608
           Summary: Signed overflow in openbsd-compat/strlcpy.c
           Product: Portable OpenSSH
           Version: 7.3p1
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: Miscellaneous
          Assignee: unassigned-bugs at mindrot.org
          Reporter: yuanjie.huang at windriver.com

Created attachment 2866
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2866&action=edit
test driver of strlcpy to demo the bug.

Pointer arithmatic results in implementation defined signed integer
type, so that 's - src' in strlcpy and others may trigger signed
overflow.

When the code is compiled by gcc or clang with -ftrapv option, the
overflow would lead to program abort.                                   

$ gcc test.c strlcpy.c -o test -m32 -ftrapv
$ ./test 
Allocating src starting from 0x7fffff40
Trying to copy 0x400 from 0x7fffff40 to 0x9630008
Aborted (core dumped)

The proposed fix is also attached.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list