That's right--buf is accessed without bounds checked. The problem is in
ttyread() in the while loop, buf gets overflowed, i.e. ptr - buf exceeds
BUFSIZ (8192). Haven't figured out how to remedy the problem (yet).
On 11/20/2015 01:16 PM, Martti Kühne wrote:
I can generally reproduce this reliably using
$ st -e cat /dev/urandom
In what way the underflow of buflen is caused though, I have not yet
been able to determine.
One aspect of the problem is definitely that buflen is generally never
range-checked.
cheers!
mar77i
