[Bug 2608] New: Signed overflow in openbsd-compat/strlcpy.c
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Wed Aug 24 13:58:41 AEST 2016
https://bugzilla.mindrot.org/show_bug.cgi?id=2608
Bug ID: 2608
Summary: Signed overflow in openbsd-compat/strlcpy.c
Product: Portable OpenSSH
Version: 7.3p1
Hardware: All
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: Miscellaneous
Assignee: unassigned-bugs at mindrot.org
Reporter: yuanjie.huang at windriver.com
Created attachment 2866
--> https://bugzilla.mindrot.org/attachment.cgi?id=2866&action=edit
test driver of strlcpy to demo the bug.
Pointer arithmatic results in implementation defined signed integer
type, so that 's - src' in strlcpy and others may trigger signed
overflow.
When the code is compiled by gcc or clang with -ftrapv option, the
overflow would lead to program abort.
$ gcc test.c strlcpy.c -o test -m32 -ftrapv
$ ./test
Allocating src starting from 0x7fffff40
Trying to copy 0x400 from 0x7fffff40 to 0x9630008
Aborted (core dumped)
The proposed fix is also attached.
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list