eCryptfs

generate_nv_list() calls strlen() on data provided by user

Bug #1023323 reported by Tyler Hicks
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
eCryptfs
New
Medium
Unassigned

Bug Description

Originally reported by segooon in bug #732614

generate_nv_list() calls strlen() with argument to user controllable data. The data might be not terminating with \0. This may lead to SEGFAULT.

Jason Xing (wlxing)
Changed in ecryptfs:
status: New → Fix Released
Revision history for this message
Tyler Hicks (tyhicks) wrote :

Why was this bug marked Fix Released? Please don't close bugs without a comment explaining why the bug is being closed.

Changed in ecryptfs:
status: Fix Released → New
Revision history for this message
Jason Xing (wlxing) wrote :

I took a look at line 362 (http://bazaar.launchpad.net/~ecryptfs/ecryptfs/trunk/view/head:/src/libecryptfs/cmd_ln_parser.c#L362) and line 371 (see http://bazaar.launchpad.net/~ecryptfs/ecryptfs/trunk/view/head:/src/libecryptfs/cmd_ln_parser.c#L371). I have no clue about what kind of case we will run into this bug ("tok_str" is not terminating with "\0"). Can you give some extreme cases that may cause SEGFAULT. Thank you.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.