[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-glibc] PR 82 revisited
From: |
Andreas Jaeger |
Subject: |
Re: [Bug-glibc] PR 82 revisited |
Date: |
19 Sep 2000 14:56:52 +0200 |
User-agent: |
Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.1 (Channel Islands) |
>>>>> Jens-Uwe Mager writes:
> The fix for the host name length problem introduced in PR#82 does itself
> overrun the allocated buffer by one byte. The code in sunrpc/clnt_simp.c
> is:
crp-> oldhost = malloc(256);
> and later:
> (void) strncpy(crp->oldhost, host, 255);
crp-> oldhost[256] = '\0';
> The nul byte is written one byte beyond the allocated buffer, I would
> suspect:
crp-> oldhost[255] = '\0';
> was meant here. The problem pops up if the program using callrpc is
> debugged using efence.
I agree and have fixed this now for glibc 2.2.
Thanks,
Andreas
--
Andreas Jaeger
SuSE Labs address@hidden
private address@hidden
http://www.suse.de/~aj