[PATCH] fix possible buffer overflow

[PATCH] fix possible buffer overflow

On Tue, Jan 27, 2004 at 11:02:25AM -0800, Greg KH wrote:
> On Mon, Jan 26, 2004 at 07:28:03PM -0500, Adrian Drzewiecki wrote:
> > Looking over the code, I noticed something odd in
> > namedev.c:strcmp_pattern() --
> >
> > 	while (*p && (*p != ']'))
> > 		p ++;
> > 	return strcmp_pattern(p+1, s+1);
> >
> > If the pattern string is invalid, and is not terminated by a ']', then 'p'
> > will point at \0 and p+1 will be beyond the string.
>
> Yes, I think you are correct.
>
> Hm, Kay, any idea of the proper way to fix this?  I've attached a patch
> below, but I don't think it is correct.
>
>  					while (*p && (*p != ']'))
>  						p++;
> -					return strcmp_pattern(p+1, s+1);
> +					if (*p)
> +						return strcmp_pattern(p+1, s+1);
> +					else
> +						return 1;
>  				}
>  			}

Sure, it's perfectly correct. I'm wondering how Adrian found this.

We can use the return 1 at the end of the whole function, and asking
for the closing ']' is more descriptive, but it does the same.

-					return strcmp_pattern(p+1, s+1);
+					if (*p == ']')
+						return strcmp_pattern(p+1, s+1);

Patch is attached, that also replaces all the *s with s[0].