[sane-devel] Fwd: [sane-Bugs][315132] fixes too small arrays in backend/niash.c
Olaf Meeuwissen
paddy-hack at member.fsf.org
Mon Sep 14 09:28:59 UTC 2015
Stef writes:
> Hello,
>
> I think that this one isn't a bug. I'm considering closing it as
> 'invalid'. May someone double-check ?
When used through a well-behaved SANE frontend nothing bad will happen.
In that respect it is perhaps not a bug.
It sure it a coding style that is begging for trouble and just waiting
to blow up in your face.
All I have to do to turn it into a bug is write a frontend that calls
SANE_Word sane_word;
sane_control_option (h, 17, SANE_ACTION_GET_VALUE, &sane_word, NULL);
and you have a security vulnerability on your hands.
# I thought about passing NULL instead of &sane_word but decided not to
# to avoid an unchecked NULL dereference.
The SANE API Spec has nothing to say on calling sane_control_option with
values of n larger or equal than the option count (optLast for the niash
backend).
I don't like the proposed patch much though. How about the attached?
At least it addresses the above issue(s). The coding style issue is not
addressed though.
Hope this helps,
--
Olaf Meeuwissen, LPIC-2 FSF Associate Member since 2004-01-27
Support Free Software Support the Free Software Foundation
https://my.fsf.org/donate https://my.fsf.org/join
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-niash.c-Add-argument-screening-to-sane_control_optio.patch
Type: text/x-diff
Size: 1026 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/sane-devel/attachments/20150914/970e8a78/attachment.patch>
More information about the sane-devel
mailing list