Skip to content

Update redir.c - Fix off-by-one heap buffer overflow in copyloop()#47

Open
MinisterForDubiousNetworkActivities wants to merge 1 commit into
troglobit:masterfrom
MinisterForDubiousNetworkActivities:patch-1
Open

Update redir.c - Fix off-by-one heap buffer overflow in copyloop()#47
MinisterForDubiousNetworkActivities wants to merge 1 commit into
troglobit:masterfrom
MinisterForDubiousNetworkActivities:patch-1

Conversation

@MinisterForDubiousNetworkActivities

@MinisterForDubiousNetworkActivities MinisterForDubiousNetworkActivities commented Jun 17, 2026

Copy link
Copy Markdown

malloc(bufsize) allocates exactly bufsize bytes, but buf[bytes] = 0 can write one byte past the end when read() returns bufsize bytes. Fix by allocating bufsize + 1 to make room for the NUL terminator.

This heapoverflow leads to DOS.

malloc(bufsize) allocates exactly bufsize bytes, but buf[bytes] = 0
can write one byte past the end when read() returns bufsize bytes.
Fix by allocating bufsize + 1 to make room for the NUL terminator.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant