This is the mail archive of the gdb-patches@sourceware.org mailing list for the GDB project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

array overflow in gdb/*-stub.c

From: Adrien Kunysz <kunysz at ms804 dot montefiore dot ulg dot ac dot be>
To: gdb-patches at sources dot redhat dot com
Date: Mon, 27 Feb 2006 21:51:09 +0100
Subject: array overflow in gdb/*-stub.c
Reply-to: a_kunysz at yahoo dot com

Hello,
Looks like there is a one byte overflow in most
gdb/*-stub.c:getpacket().
The "while (count < BUFMAX)" may be exited when count == BUFMAX.
Which mean "buffer[count] = 0" may overflow the array. Of course
if count reaches BUFMAX there is probably a problem anyway and
I don't see any way this overflow could be exploited by an attacker.
But it's still a bug.

The obvious fix is to change the while condition to "count < BUFMAX - 1".

Adrien "Krunch" Kunysz

Attachment: gdb-off-by-one.diff
Description: Text document

Attachment: ChangeLog
Description: Text document

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]