RFR(S): 8038233 : Fix unsafe strcpy in Java_sun_tools_attach_{Aix, Bsd, Linux}VirtualMachine_connect()
Dmitry Samersoff
dmitry.samersoff at oracle.com
Fri Mar 28 13:46:26 UTC 2014
Volker,
I think we should check the length of passed filename and
throw an exception if filename is too long.
Otherwise we can end up opening wrong file with possibly not expected
permissions.
-Dmitry
On 2014-03-27 22:08, Volker Simonis wrote:
> Hi,
>
> a security audit for the PPC64/AIX port revealed an unsecure useage of
> 'strcpy' in Java_sun_tools_attach_AixVirtualMachine_connect(). Because
> the same coding is also used in the Linux and BSD implementations, the
> following change fixes them all together:
>
> http://cr.openjdk.java.net/~simonis/webrevs/8038233/
> https://bugs.openjdk.java.net/browse/JDK-8038233
>
> Compiled and tested (with the com/sun/jdi, com/sun/tools/attach,
> com/sun/management and sun/management JTreg tests) on Linux, MacOS X
> and AIX.
>
> Please notice that this fix is also intended for backporting tu 8u.
>
> Thank you and best regards,
> Volker
>
--
Dmitry Samersoff
Oracle Java development team, Saint Petersburg, Russia
* I would love to change the world, but they won't give me the sources.
More information about the core-libs-dev
mailing list