[haiku-commits] r33489 - in haiku/trunk/src/system/kernel: debug vm

  • From: ingo_weinhold@xxxxxx
  • To: haiku-commits@xxxxxxxxxxxxx
  • Date: Fri, 9 Oct 2009 05:07:11 +0200 (CEST)

Author: bonefish
Date: 2009-10-09 05:07:11 +0200 (Fri, 09 Oct 2009)
New Revision: 33489
Changeset: http://dev.haiku-os.org/changeset/33489/haiku

Modified:
   haiku/trunk/src/system/kernel/debug/debug.cpp
   haiku/trunk/src/system/kernel/vm/vm.cpp
Log:
Amended the {user,debug}_strlcpy() fix: Due to the strlcpy() semantics to
always return the source string length, we can't really prevent an overflow
of the source address.


Modified: haiku/trunk/src/system/kernel/debug/debug.cpp
===================================================================
--- haiku/trunk/src/system/kernel/debug/debug.cpp       2009-10-07 23:03:10 UTC 
(rev 33488)
+++ haiku/trunk/src/system/kernel/debug/debug.cpp       2009-10-09 03:07:11 UTC 
(rev 33489)
@@ -1559,6 +1559,8 @@
        // limit size to avoid address overflows
        size_t maxSize = std::min(size,
                ~(addr_t)0 - std::max((addr_t)from, (addr_t)to) + 1);
+               // NOTE: Since strlcpy() determines the length of \a from, the 
source
+               // address might still overflow.
 
        debug_strlcpy_parameters parameters = {to, from, maxSize};
 
@@ -1568,7 +1570,7 @@
        }
 
        // If we hit the address overflow boundary, fail.
-       if (parameters.result == maxSize && maxSize < size)
+       if (parameters.result >= maxSize && maxSize < size)
                return B_BAD_ADDRESS;
 
        return parameters.result;

Modified: haiku/trunk/src/system/kernel/vm/vm.cpp
===================================================================
--- haiku/trunk/src/system/kernel/vm/vm.cpp     2009-10-07 23:03:10 UTC (rev 
33488)
+++ haiku/trunk/src/system/kernel/vm/vm.cpp     2009-10-09 03:07:11 UTC (rev 
33489)
@@ -5491,13 +5491,14 @@
        // limit size to avoid address overflows
        size_t maxSize = std::min(size,
                ~(addr_t)0 - std::max((addr_t)from, (addr_t)to) + 1);
+               // NOTE: Since arch_cpu_user_strlcpy() determines the length of 
\a from,
+               // the source address might still overflow.
 
-
        ssize_t result = arch_cpu_user_strlcpy(to, from, maxSize,
                &thread_get_current_thread()->fault_handler);
 
        // If we hit the address overflow boundary, fail.
-       if (result >= 0 && (size_t)result == maxSize && maxSize < size)
+       if (result >= 0 && (size_t)result >= maxSize && maxSize < size)
                return B_BAD_ADDRESS;
 
        return result;

Other related posts:

  • » [haiku-commits] r33489 - in haiku/trunk/src/system/kernel: debug vm - ingo_weinhold
  1. Home
  2. haiku-commits
  3. Archive
  4. 10-2009