Re: A couple of patches (RFC931 and scp location)
Paul B. Henson (henson@INTRANET.CSUPOMONA.EDU)
Mon, 9 Jun 1997 17:01:48 -0700
> From: Matt Simmons <simmonmt@cs.purdue.edu>
[...]
> a post to the ssh list. One of the subscribers to that list, Benjamin
> Stassart, looked through it and found a possible buffer overrun. His
I don't see an overflow here.
> > while ((w = read(s, &ch, 1)) == 1) {
> > *buf = ch;
> > if ((ch != ' ') && (ch != '\t') && (ch != '\r'))
> > ++buf;
> > if ((buf - realbuf == sizeof(realbuf) - 1) || (ch ==
> > '\n'))
> > break;
> > }
This code is prefaced somewhere by:
char realbuf[SIZ];
buf = realbuf;
Translating into more readable(?) pseudo code:
Set buf to point to the first character of realbuf
While a call to read successfully returns a character
Add the character to realbuf at the location pointed to by buf
If the character is not a space, tab, or return
Increment buf to point at the next char in realbuf
If buf is pointing at the last char in realbuf or the character read
was a newline
Exit the while loop
This loop will exit on either a newline, or when buf is pointing at the
last character of realbuf.
Where's the possible overflow? If you feed this loop a bunch of spaces,
tabs, or returns, all you'll succeed in doing is overwriting the same spot
in realbuf.
--
Paul Henson | System Administrator | Cal Poly Pomona | (909) 869-3781
pbhenson@csupomona.edu | finger -l henson@www.csupomona.edu for PGP key