[vbox-dev] Buffer overflow in VBoxNetFltInternal.h
valerio.daelli at gmail.com
Sat Mar 7 16:37:07 UTC 2015
you are right, anyway if you add a variable to the structure
after the array szName, the char buffer szName overflows to the variable
On the hand, if you leave szName as the last member of the structure, and add
a variable before it, there is no overflow.
Thanks for your attention,
On Sat, Mar 7, 2015 at 4:41 PM, Alexander Eichner <
Alexander.Eichner at oracle.com> wrote:
> Hi Valerio,
> there is no buffer overflow because of the way the memory containing
> VBOXNETFLTINS is allocated.
> See the top of VBoxNetFlt.c:vboxNetFltNewInstance(), the allocation takes
> the size of the name into account.
> Alexander Eichner
> > On 07.03.2015 14:46, Valerio Daelli <valerio.daelli at gmail.com> wrote:
> > Hi,
> > I am working on a patch on the vboxnetflt kernel module on Linux
> (3.18.0 kernel).
> > While inspecting the code of vboxnetlflt, I found something that looks
> to me like a buffer overflow.
> > VBoxNetFltInternal.h declares the structure VBOXNETFLTINS
> > and one of its members is:
> > char szName;
> > This array is too small to contain the network device name:
> > so when there is a copy in VBoxNetFlt.c:
> > memcpy(pNew->szName, pszName, cchName + 1);
> > this copy does a buffer overflow of the character array pNew->szName.
> > Basically you are trying to copy a string like 'eno1'
> > or another interface name, into a buffer of chars with length 1.
> > Obviously this implies a buffer overflow.
> > Thank for your attention,
> > Valerio Daelli
> > _______________________________________________
> > vbox-dev mailing list
> > vbox-dev at virtualbox.org
> > https://www.virtualbox.org/mailman/listinfo/vbox-dev
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the vbox-dev