First Last Prev Next    This bug is not in your last search results.
Bug 119654 - Buffer overrun in usb.c
Buffer overrun in usb.c
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: kudzu (Show other bugs)
rawhide
All Linux
medium Severity high
: ---
: ---
Assigned To: Bill Nottingham
David Lawrence
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-03-31 23:28 EST by Alex Kiernan
Modified: 2014-03-16 22:43 EDT (History)
1 user (show)

See Also:
Fixed In Version: 1.1.54-1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-04-01 00:09:58 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Alex Kiernan 2004-03-31 23:28:21 EST 
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

Description of problem:
Running kudzu under ElectricFence crashes in usb.c at line 545, 
looking:

   527                  probeMods = malloc(2 * sizeof(struct module));
...
   536                          numMods = 1;
...
   545                                          probeMods[numMods + 
1].name = NULL;

numMods + 1 will be 2 the first time, but probeMods only has two 
elements, so we're writing off the end of the buffer.

The lack of any realloc code for probeMods looks suspicious, but I 
may just not understand :)

Version-Release number of selected component (if applicable):
kudzu-1.1.53-1

How reproducible:
Always

Steps to Reproduce:
1. LD_PRELOAD=libefence.so.0.0 kudzu --probe
2.
3.
    

Additional info:

This one liner fixes the immediate problem:

--- ../kudzu-1.1.53/usb.c	2004-01-26 05:30:48.000000000 +0000
+++ ./usb.c	2004-04-01 05:12:11.743165338 +0100
@@ -524,7 +524,7 @@
 			usbReadDrivers(NULL);
 			init_list = 1;
 		}
-		probeMods = malloc(2 * sizeof(struct module));
+		probeMods = malloc(3 * sizeof(struct module));
 		probeMods[0].name = NULL;
 		cf = readConfModules(module_file);
 		if (cf && (alias = getAlias(cf, "usb-controller"))
Comment 1 Bill Nottingham 2004-04-01 00:01:46 EST 
Yowza, yeah, there's a missing realloc there.

Fixed in 1.1.54-1, thanks!
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.