From d1729bed6b741cc6112e4da72c3bae286bbb9f7c Mon Sep 17 00:00:00 2001 From: Qualys Security Advisory Date: Thu, 1 Jan 1970 00:00:00 +0000 Subject: [PATCH] 0042-proc/slab.h: Fix off-by-one overflow in sscanf(). In proc/slab.c, functions parse_slabinfo20() and parse_slabinfo11(), sscanf() might overflow curr->name, because "String input conversions store a terminating null byte ('\0') to mark the end of the input; the maximum field width does not include this terminator." Add one byte to name[] for this terminator. ---------------------------- adapted for newlib branch . file is now proc/slabinfo.c (not .h) . manifest constant renamed SLABINFO_NAME_LEN . older parse_slabinfo11() function no longer present Signed-off-by: Jim Warner --- proc/slabinfo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proc/slabinfo.c b/proc/slabinfo.c index ba0219c4..966cf7d3 100644 --- a/proc/slabinfo.c +++ b/proc/slabinfo.c @@ -76,7 +76,7 @@ struct slabs_summ { }; struct slabs_node { - char name[SLABINFO_NAME_LEN]; // name of this cache + char name[SLABINFO_NAME_LEN+1]; // name of this cache unsigned long cache_size; // size of entire cache unsigned int nr_objs; // number of objects in this cache unsigned int nr_active_objs; // number of active objects -- 2.40.0