Received: (at submit) by bugs.debian.org; 28 Sep 2001 00:09:12 +0000
From Marcus.Brinkmann@ruhr-uni-bochum.de Thu Sep 27 19:09:12 2001
Return-path: <Marcus.Brinkmann@ruhr-uni-bochum.de>
Received: from porta.u64.de [194.77.88.106] 
	by master.debian.org with esmtp (Exim 3.12 1 (Debian))
	id 15mlDM-0007K8-00; Thu, 27 Sep 2001 19:09:12 -0500
Received: from (localhost) [212.23.136.22] (mail)
	by porta.u64.de with asmtp (Exim 3.12 #1 (Debian))
	id 15mly6-0004IB-00; Fri, 28 Sep 2001 02:57:30 +0200
Received: from marcus by localhost with local (Exim 3.32 #1 (Debian))
	id 15mlDI-0004JG-00
	for <submit@bugs.debian.org>; Fri, 28 Sep 2001 02:09:08 +0200
Date: Fri, 28 Sep 2001 02:09:08 +0200
From: Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de>
To: submit@bugs.debian.org
Subject: not paranoid enough about device name
Message-ID: <20010928020908.G1941@212.23.136.22>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.3.22i
Sender: Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de>
Delivered-To: submit@bugs.debian.org

Package: gnumach

gnumach device_open is not paranoid enough about the device name.  I haven't
tried it, but I think that having 128 non-digits with no trailing zero will
make gnumach run past the buffer in dev_name_lookup.

Maybe not worth fixing for gnumach (esp as opening a device requires the
device master port anyway).  But it reminds me of the broader issue of the
necessity to audit the code, esp at the borders caused by user supplied
data.

Thanks,
Marcus

-- 
`Rhubarb is no Egyptian god.' Debian http://www.debian.org brinkmd@debian.org
Marcus Brinkmann              GNU    http://www.gnu.org    marcus@gnu.org
Marcus.Brinkmann@ruhr-uni-bochum.de
http://www.marcus-brinkmann.de