array overflow in gdb/*-stub.c
Adrien Kunysz
kunysz@ms804.montefiore.ulg.ac.be
Mon Feb 27 23:31:00 GMT 2006
Hello,
Looks like there is a one byte overflow in most
gdb/*-stub.c:getpacket().
The "while (count < BUFMAX)" may be exited when count == BUFMAX.
Which mean "buffer[count] = 0" may overflow the array. Of course
if count reaches BUFMAX there is probably a problem anyway and
I don't see any way this overflow could be exploited by an attacker.
But it's still a bug.
The obvious fix is to change the while condition to "count < BUFMAX - 1".
Adrien "Krunch" Kunysz
-------------- next part --------------
diff -ur gdb-6.4.50.20060227.orig/gdb/i386-stub.c gdb-6.4.50.20060227/gdb/i386-stub.c
--- gdb-6.4.50.20060227.orig/gdb/i386-stub.c 2006-02-27 21:27:40.000000000 +0100
+++ gdb-6.4.50.20060227/gdb/i386-stub.c 2006-02-27 21:25:03.000000000 +0100
@@ -474,7 +474,7 @@
count = 0;
/* now, read until a # or end of buffer is found */
- while (count < BUFMAX)
+ while (count < BUFMAX - 1)
{
ch = getDebugChar ();
if (ch == '$')
diff -ur gdb-6.4.50.20060227.orig/gdb/m32r-stub.c gdb-6.4.50.20060227/gdb/m32r-stub.c
--- gdb-6.4.50.20060227.orig/gdb/m32r-stub.c 2006-02-27 21:27:40.000000000 +0100
+++ gdb-6.4.50.20060227/gdb/m32r-stub.c 2006-02-27 21:25:22.000000000 +0100
@@ -605,7 +605,7 @@
count = 0;
/* now, read until a # or end of buffer is found */
- while (count < BUFMAX)
+ while (count < BUFMAX - 1)
{
ch = getDebugChar ();
if (ch == '$')
diff -ur gdb-6.4.50.20060227.orig/gdb/m68k-stub.c gdb-6.4.50.20060227/gdb/m68k-stub.c
--- gdb-6.4.50.20060227.orig/gdb/m68k-stub.c 2006-02-27 21:27:40.000000000 +0100
+++ gdb-6.4.50.20060227/gdb/m68k-stub.c 2006-02-27 21:25:47.000000000 +0100
@@ -553,7 +553,7 @@
count = 0;
/* now, read until a # or end of buffer is found */
- while (count < BUFMAX)
+ while (count < BUFMAX - 1)
{
ch = getDebugChar ();
if (ch == '$')
diff -ur gdb-6.4.50.20060227.orig/gdb/sh-stub.c gdb-6.4.50.20060227/gdb/sh-stub.c
--- gdb-6.4.50.20060227.orig/gdb/sh-stub.c 2006-02-27 21:27:40.000000000 +0100
+++ gdb-6.4.50.20060227/gdb/sh-stub.c 2006-02-27 21:26:06.000000000 +0100
@@ -403,7 +403,7 @@
count = 0;
/* now, read until a # or end of buffer is found */
- while (count < BUFMAX)
+ while (count < BUFMAX - 1)
{
ch = getDebugChar ();
if (ch == '$')
diff -ur gdb-6.4.50.20060227.orig/gdb/sparc-stub.c gdb-6.4.50.20060227/gdb/sparc-stub.c
--- gdb-6.4.50.20060227.orig/gdb/sparc-stub.c 2006-02-27 21:27:40.000000000 +0100
+++ gdb-6.4.50.20060227/gdb/sparc-stub.c 2006-02-27 21:26:40.000000000 +0100
@@ -306,7 +306,7 @@
count = 0;
/* now, read until a # or end of buffer is found */
- while (count < BUFMAX)
+ while (count < BUFMAX - 1)
{
ch = getDebugChar ();
if (ch == '$')
-------------- next part --------------
2006-02-27 Adrien Kunysz <a_kunysz@yahoo.com>
* gdb/i386-stub.c (getpacket): Array overflow.
* gdb/m32r-stub.c (getpacket): Array overflow.
* gdb/m68k-stub.c (getpacket): Array overflow.
* gdb/sh-stub.c (getpacket): Array overflow.
* gdb/sparc-stub.c (getpacket): Array overflow.
More information about the Gdb-patches
mailing list