Re: username and groupname prone to overflowing

bug-tar

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: username and groupname prone to overflowing

From:	exploit dev
Subject:	Re: username and groupname prone to overflowing
Date:	Mon, 23 Dec 2024 23:27:27 +0100

my bad, I missed that uname is of max size 31.

Le lun. 23 déc. 2024 à 15:37, exploit dev <exploitdevvv@gmail.com> a écrit :

Hello,

In decode_header(), assign_string_n() takes input from header.uname as value and also as size_t.

If value and n are both controlled, the "l" variable is prone to overflowing inside the xmalloc(l+1)
which will under-allocate p, and over-copy value into it.

[Prev in Thread]

Current Thread

[Next in Thread]

username and groupname prone to overflowing, exploit dev, 2024/12/23
- Re: username and groupname prone to overflowing, exploit dev <=
  - Re: username and groupname prone to overflowing, Paul Eggert, 2024/12/23

Prev by Date: username and groupname prone to overflowing
Next by Date: Re: username and groupname prone to overflowing
Previous by thread: username and groupname prone to overflowing
Next by thread: Re: username and groupname prone to overflowing
Index(es):
- Date
- Thread