[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
buffer overflow in strfmon test harness
|
From: |
wagle |
|
Subject: |
buffer overflow in strfmon test harness |
|
Date: |
Fri, 24 May 2002 15:25:09 -0700 (PDT) |
Hi --
The test harness for strfmon in redhat 7.3's version of glibc resides in
glibc-2.2.5/localedata/tests-mbwc/tst_strfmon.c
It defines a buffer of 32 chars. But the test data in
glibc-2.2.5/localedata/tests-mbwc/dat_strfmon.c
contains a buffer size (nbt) of "33" in 11 of of the 45 test cases.
This results in the byte located immediately after the buffer being
zeroed, probably by the code:
/* We clear the last available byte so we can find out whether
the numeric representation is too long. */
s[maxsize - 1] = '\0';
The test harness 1probably needs to check for buffer overflows
specified by the user (ie, die noisely if "nbt > MONSIZE") or flaws in
the implementation (ie, writing beyond the user specified end of
buffer).
I will solve it for myself in the short term by making the buffer
larger, but I don't believe that is the correct solution.
Have fun!
-- Perry Wagle
PS. I detected it with the newest version of stackguard, beginning
its torture test ("build world"). This was the first buffer overflow
"in the wild" that it detected.
- buffer overflow in strfmon test harness,
wagle <=