Robert Hancock wrote:
Randy.Dunlap wrote:
The latter one does (before the listed code):
memset(line, 0, LINE_SIZE);
if (len > LINE_SIZE)
len = LINE_SIZE;
if (copy_from_user(line, buf, len - 1))
return -EFAULT;
so isn't line[LINE_SIZE - 1] always 0 ?
In that case, yes (I
Randy.Dunlap wrote:
The latter one does (before the listed code):
memset(line, 0, LINE_SIZE);
if (len > LINE_SIZE)
len = LINE_SIZE;
if (copy_from_user(line, buf, len - 1))
return -EFAULT;
so isn't line[LINE_SIZE - 1] always 0 ?
In that case, yes (I hadn't looked at the s
Robert Hancock wrote:
Artem Frolov wrote:
Hello,
I am in the process of testing static defect analyzer on a Linux
kernel source code (see disclosure below).
I found some potential array bounds violations. The pattern is as
follows: bytes are copied from the user space and then buffer is
accessed on
Artem Frolov wrote:
Hello,
I am in the process of testing static defect analyzer on a Linux
kernel source code (see disclosure below).
I found some potential array bounds violations. The pattern is as
follows: bytes are copied from the user space and then buffer is
accessed on index strlen(buf)-1.
4 matches
Mail list logo
