[vbox-dev] Buffer overflow in VBoxNetFltInternal.h
Alexander Eichner
Alexander.Eichner at oracle.com
Sat Mar 7 15:41:11 GMT 2015
Hi Valerio,
there is no buffer overflow because of the way the memory containing VBOXNETFLTINS is allocated.
See the top of VBoxNetFlt.c:vboxNetFltNewInstance(), the allocation takes the size of the name into account.
Regards,
Alexander Eichner
> On 07.03.2015 14:46, Valerio Daelli <valerio.daelli at gmail.com> wrote:
>
> Hi,
>
> I am working on a patch on the vboxnetflt kernel module on Linux (3.18.0 kernel).
> While inspecting the code of vboxnetlflt, I found something that looks to me like a buffer overflow.
>
> VBoxNetFltInternal.h declares the structure VBOXNETFLTINS
> and one of its members is:
> char szName[1];
> This array is too small to contain the network device name:
> so when there is a copy in VBoxNetFlt.c:
>
> memcpy(pNew->szName, pszName, cchName + 1);
>
> this copy does a buffer overflow of the character array pNew->szName.
>
> Basically you are trying to copy a string like 'eno1'
> or another interface name, into a buffer of chars with length 1.
> Obviously this implies a buffer overflow.
> Thank for your attention,
>
> Valerio Daelli
>
> _______________________________________________
> vbox-dev mailing list
> vbox-dev at virtualbox.org
> https://www.virtualbox.org/mailman/listinfo/vbox-dev
More information about the vbox-dev
mailing list