Bug 114661 - Possible buffer overflows in kudzu code (readlink usage)
Possible buffer overflows in kudzu code (readlink usage)
Product: Fedora
Classification: Fedora
Component: kudzu (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Bill Nottingham
David Lawrence
Depends On:
  Show dependency treegraph
Reported: 2004-01-30 15:11 EST by Yaroslav Popovitch
Modified: 2014-03-16 22:41 EDT (History)
3 users (show)

See Also:
Fixed In Version: 1.1.116-1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-04-28 14:08:45 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
examples of code with errors (1.32 KB, text/plain)
2004-01-30 15:18 EST, Yaroslav Popovitch
no flags Details

  None (edit)
Description Yaroslav Popovitch 2004-01-30 15:11:42 EST
Description of problem:
Possible buffer overflows in kudzu's readlink code, possible security

int readlink(const char *path, char *buf, size_t bufsiz);

readlink  places  the  contents of the symbolic link path in the
buffer buf, which has size bufsiz.  readlink does not append a  NUL 
character to  buf. It will truncate the contents (to a length of
bufsiz characters), in case the buffer is too small to hold all of the

Readlink does not append a NULL character to buf. In kudzu's code 
NULL character is set using memset, before calling readlink. In some
cases if bufsiz is equal to the lenght of the buffer, we have string,
which is not terminated by NULL, as result, there are possible buffer

hwconf.c:227:   if (readlink(path,path2,256)>0) {
serial.c:954:   if (readlink("/dev/modem",lockfile,32)>0) {

Version-Release number of selected component (if applicable):
- the latest CVS version, kudzu-1.1.36-1

How reproducible:
General idea to create link with the same name, which are used by
kudzu. The contents of link must be longer or equal to the buffer lenght.

Expected results:
Possible seg. faults.
Comment 1 Bill Nottingham 2004-01-30 15:17:26 EST
All of these links are in root-writable only directories, so I don't
see how this is a security issue. But it should be fixed, yes.
Comment 2 Yaroslav Popovitch 2004-01-30 15:18:37 EST
Created attachment 97374 [details]
examples of code with errors
Comment 3 Bill Nottingham 2005-04-28 14:08:45 EDT
Fixed in CVS, will be in 1.1.116-1 or later.

Note You need to log in before you can comment on or make changes to this bug.