This is the mail archive of the
gdb-prs@sourceware.org
mailing list for the GDB project.
gdb/2315: buffer overflow in monitor code
- From: moritz at jodeit dot org
- To: gdb-gnats at sources dot redhat dot com
- Date: 11 Sep 2007 16:31:18 -0000
- Subject: gdb/2315: buffer overflow in monitor code
- Reply-to: moritz at jodeit dot org
>Number: 2315
>Category: gdb
>Synopsis: buffer overflow in monitor code
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: unassigned
>State: open
>Class: patch
>Submitter-Id: net
>Arrival-Date: Tue Sep 11 16:38:01 UTC 2007
>Closed-Date:
>Last-Modified:
>Originator: Moritz Jodeit
>Release: cvs -current
>Organization:
>Environment:
>Description:
Streight forward buffer overflow is possible in the monitor code, because the sscanf(3) format string does not specify a maximum length.
>How-To-Repeat:
>Fix:
Index: monitor.c
===================================================================
RCS file: /cvs/src/src/gdb/monitor.c,v
retrieving revision 1.74
diff -u -p -r1.74 monitor.c
--- monitor.c 23 Aug 2007 18:08:36 -0000 1.74
+++ monitor.c 11 Sep 2007 16:26:59 -0000
@@ -2109,7 +2109,7 @@ monitor_load (char *file, int from_tty)
char buf[128];
/* enable user to specify address for downloading as 2nd arg to load */
- n = sscanf (file, "%s 0x%lx", buf, &load_offset);
+ n = sscanf (file, "%127s 0x%lx", buf, &load_offset);
if (n > 1)
file = buf;
else
>Release-Note:
>Audit-Trail:
>Unformatted: