Re: A couple of patches (RFC931 and scp location)

[henson () INTRANET CSUPOMONA EDU (Paul B. Henson)]

> From: Matt Simmons <simmonmt () cs purdue edu>
[...]
> a post to the ssh list.  One of the subscribers to that list, Benjamin
> Stassart, looked through it and found a possible buffer overrun.  His

I don't see an overflow here.


> >         while ((w = read(s, &ch, 1)) == 1) {
> >                 *buf = ch;
> >                 if ((ch != ' ') && (ch != '\t') && (ch != '\r'))
> >                         ++buf;
> >                 if ((buf - realbuf == sizeof(realbuf) - 1) || (ch ==
> > '\n'))
> >                         break;
> >         }

This code is prefaced somewhere by:

  char realbuf[SIZ];
  buf = realbuf;

Translating into more readable(?) pseudo code:

  Set buf to point to the first character of realbuf
  While a call to read successfully returns a character
    Add the character to realbuf at the location pointed to by buf
    If the character is not a space, tab, or return
      Increment buf to point at the next char in realbuf
    If buf is pointing at the last char in realbuf or the character read
    was a newline
      Exit the while loop


This loop will exit on either a newline, or when buf is pointing at the
last character of realbuf.

Where's the possible overflow? If you feed this loop a bunch of spaces,
tabs, or returns, all you'll succeed in doing is overwriting the same spot
in realbuf.


--
Paul Henson  |  System Administrator  |  Cal Poly Pomona  |  (909) 869-3781
pbhenson () csupomona edu | finger -l henson () www csupomona edu for PGP key