ip_conntrack_standalone / sprintf to buffer

From: Sven Schnelle
Date: Tue May 24 2005 - 21:39:51 EST


Hi,

found the following code snippet in ip_conntrack_standalone.c:145
in function conntrack_iterate():
-------------------000000------8<-----------------------------
newlen = print_conntrack(buffer + *len, hash->ctrack);
printk("len + newlen: %d maxlen: %d\n", *len + newlen, maxlen);
if (*len + newlen > maxlen)
return 1;
else *len += newlen;
-------------000000------------8<-----------------------------

print_conntrack() uses sprintf without length checking. And now i'm
wondering what happens if for example, maxlen=3072 and
len=3071. print_conntrack uses sprintf, writes beyond the end the buffer, and
after this the check (*len + newlen > maxlen) is done. Looks to me like
a bug.

Did i missed something?

Bye,

Sven.
--
"If you can't make it good, at least make it look good." Bill Gates on
the solid code base of Win9X

Attachment: pgp00000.pgp
Description: PGP signature