Author: bonefish Date: 2009-10-09 05:07:11 +0200 (Fri, 09 Oct 2009) New Revision: 33489 Changeset: http://dev.haiku-os.org/changeset/33489/haiku Modified: haiku/trunk/src/system/kernel/debug/debug.cpp haiku/trunk/src/system/kernel/vm/vm.cpp Log: Amended the {user,debug}_strlcpy() fix: Due to the strlcpy() semantics to always return the source string length, we can't really prevent an overflow of the source address. Modified: haiku/trunk/src/system/kernel/debug/debug.cpp =================================================================== --- haiku/trunk/src/system/kernel/debug/debug.cpp 2009-10-07 23:03:10 UTC (rev 33488) +++ haiku/trunk/src/system/kernel/debug/debug.cpp 2009-10-09 03:07:11 UTC (rev 33489) @@ -1559,6 +1559,8 @@ // limit size to avoid address overflows size_t maxSize = std::min(size, ~(addr_t)0 - std::max((addr_t)from, (addr_t)to) + 1); + // NOTE: Since strlcpy() determines the length of \a from, the source + // address might still overflow. debug_strlcpy_parameters parameters = {to, from, maxSize}; @@ -1568,7 +1570,7 @@ } // If we hit the address overflow boundary, fail. - if (parameters.result == maxSize && maxSize < size) + if (parameters.result >= maxSize && maxSize < size) return B_BAD_ADDRESS; return parameters.result; Modified: haiku/trunk/src/system/kernel/vm/vm.cpp =================================================================== --- haiku/trunk/src/system/kernel/vm/vm.cpp 2009-10-07 23:03:10 UTC (rev 33488) +++ haiku/trunk/src/system/kernel/vm/vm.cpp 2009-10-09 03:07:11 UTC (rev 33489) @@ -5491,13 +5491,14 @@ // limit size to avoid address overflows size_t maxSize = std::min(size, ~(addr_t)0 - std::max((addr_t)from, (addr_t)to) + 1); + // NOTE: Since arch_cpu_user_strlcpy() determines the length of \a from, + // the source address might still overflow. - ssize_t result = arch_cpu_user_strlcpy(to, from, maxSize, &thread_get_current_thread()->fault_handler); // If we hit the address overflow boundary, fail. - if (result >= 0 && (size_t)result == maxSize && maxSize < size) + if (result >= 0 && (size_t)result >= maxSize && maxSize < size) return B_BAD_ADDRESS; return result;