bugThe GNU Hurd - Bugs: bug #28446, No checks are made for unteminated...


bug #28446: No checks are made for unteminated strings in RPC messages

Submitter:  Carl Fredrik Hammar <hammy>
Submitted:  Wed 30 Dec 2009 07:42:20 PM UTC
Category:  None Severity:  3 - Normal
Priority:  5 - Normal Item Group:  None
Status:  None Privacy:  Public
Assigned to:  None Originator Name: 
Open/Closed:  Open Reproducibility:  None
Size (loc):  None Planned Release:  None
Effort:  0.00
Wiki-like text discussion box: 

* Mandatory Fields

Add a New Comment Rich Markup

Tue 12 Jul 2016 09:05:45 AM UTC, comment #1: 

The client-side dir_lookup function generated by MIG calls __mig_strncpy(InP->file_name, file_name, 1024) to copy the file name to the request message.  If the file name is too long, this silently truncates it and does not append a null character.  So you can also test the server behavior by trying to open such a file via libc:

rpctrace -E LC_ALL=C -s 2000 cat $(perl -e "print 'a' x 1020")12345

This shows the string in the message ends with "aaa1234".

I think MIG-generated code should return an error instead of truncating the string.  This is less important than fixing the code that examines received messages, though.

Kalle Olavi Niemitalo <kon>
Wed 30 Dec 2009 07:42:20 PM UTC, original submission:  

Strings in RPCs, such as the filename argument to a dir_lookup,
are not checked if they are terminated by '\0'.  This could lead
to the server segfaulting if it tries to read the string.

Making MIG check that strings are terminated seems like the
proper fix.

I have attached a program that sends an unterminated dir_lookup to
its first argument, which can be used to test how translators
react. For instance, ext2fs reacts by sending ENAMETOOLONG.

Carl Fredrik Hammar <hammy>
Group Member


(Note: upload size limit is set to 16384 kB, after insertion of the required escape characters.)

Attach Files:

Attached Files
file #19398:  unterm-path.c added by hammy (6KiB - text/x-csrc)


Depends on the following items: None found

Items that depend on this one: None found


Carbon-Copy List
  • -email is unavailable- added by kon (Posted a comment)
  • -email is unavailable- added by hammy (Submitted the item)

    There are 0 votes so far. Votes easily highlight which items people would like to see resolved in priority, independently of the priority of the item set by tracker managers.

    Only logged-in users can vote.


    Follows 1 latest change.

    Date Changed by Updated Field Previous Value => Replaced by
    2009-12-30 hammy Attached File- Added unterm-path.c, #19398

    Back to the top

    Powered by Savane 3.14-e222.
    Corresponding source code