From owner-svn-src-all@FreeBSD.ORG  Thu Jul 29 22:55:59 2010
Return-Path: <owner-svn-src-all@FreeBSD.ORG>
Delivered-To: svn-src-all@FreeBSD.ORG
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 2C88C1065676;
	Thu, 29 Jul 2010 22:55:59 +0000 (UTC) (envelope-from jilles@stack.nl)
Received: from mx1.stack.nl (relay02.stack.nl [IPv6:2001:610:1108:5010::104])
	by mx1.freebsd.org (Postfix) with ESMTP id E69CE8FC1C;
	Thu, 29 Jul 2010 22:55:58 +0000 (UTC)
Received: from turtle.stack.nl (turtle.stack.nl [IPv6:2001:610:1108:5010::132])
	by mx1.stack.nl (Postfix) with ESMTP id 55EC635A834;
	Fri, 30 Jul 2010 00:55:58 +0200 (CEST)
Received: by turtle.stack.nl (Postfix, from userid 1677)
	id 439BB17267; Fri, 30 Jul 2010 00:55:58 +0200 (CEST)
Date: Fri, 30 Jul 2010 00:55:58 +0200
From: Jilles Tjoelker <jilles@stack.nl>
To: d@delphij.net
Message-ID: <20100729225558.GB42378@stack.nl>
References: <201007290011.o6T0BE0l072516@svn.freebsd.org>
	<20100729122034.GA28899@stack.nl> <4C51FFB6.7040802@delphij.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4C51FFB6.7040802@delphij.net>
User-Agent: Mutt/1.5.20 (2009-06-14)
Cc: svn-src-head@FreeBSD.ORG, svn-src-all@FreeBSD.ORG,
	src-committers@FreeBSD.ORG, Gabor Kovesdan <gabor@FreeBSD.ORG>
Subject: Re: svn commit: r210578 - head/usr.bin/grep
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
	user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-all>,
	<mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-all>,
	<mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Jul 2010 22:55:59 -0000

On Thu, Jul 29, 2010 at 03:24:54PM -0700, Xin LI wrote:
> On 2010/07/29 05:20, Jilles Tjoelker wrote:
> > Note that this code may not be safe if fg->len comes from an untrusted
> > user, as fg->len + 1 is 0 if fg->len == SIZE_MAX. This is not the case
> > if fg->len is an actual length from strlen() or similar.

> Speaking for this piece of code, I have to say that the modified version
> is actually safer (an improvement, as the attacker could not overwrite
> arbitrary memory).

> If fg->len + 1 == 0, fg->pattern would point to a small area (assuming
> normal malloc.conf setting without V) where, for memcpy, it would
> overwrite fg->len bytes, while strlcpy() will do nothing.

> By the way how can fg->len come from an untrusted party?  It's
> strlen(pat) which I don't think can ever reach SIZE_MAX without crashing
> the program.

Right, fg->len comes from a strlen() so adding one to it is safe. My
remark was directed at similar code where a length comes from a number
supplied by an untrusted user.

> I'll dig further for this piece of code anyways.

-- 
Jilles Tjoelker