[repeat e-mail to include mailing list]

On 15-10-21 09:47 AM, Pedro Alves wrote:
> On 10/21/2015 02:34 PM, Aleksandar Ristovski wrote:
> 
>> +static void
>> +nto_sniff_abi_note_section (bfd *abfd, asection *sect, void *obj)
>> +{
>> +  const char *sectname;
>> +  unsigned int sectsize;
>> +  /* Buffer holding the section contents.  */
>> +  char *note;
>> +  unsigned int namelen;
>> +  const char *name;
>> +
>> +  sectname = bfd_get_section_name (abfd, sect);
>> +  sectsize = bfd_section_size (abfd, sect);
>> +
>> +  if (sectsize > 128)
>> +    sectsize = 128;
>> +
>> +  if (sectname != NULL && strstr (sectname, QNX_INFO_SECT_NAME) != NULL)
>> +    *(enum gdb_osabi *) obj = GDB_OSABI_QNXNTO;
>> +
>> +  if (sectname != NULL && strstr (sectname, "note") != NULL)
> 
> This can be "else if".

Ok.

> 
>> +    {
>> +      const unsigned sizeof_Elf_Nhdr = 12;
>> +
>> +      note = XNEWVEC (char, sectsize);
>> +      bfd_get_section_contents (abfd, sect, note, 0, sectsize);
>> +      namelen = (unsigned int) bfd_h_get_32 (abfd, note);
> 
> You also need to check that the section's size
> is enough to contain 'namelen', _before_ extracting it, otherwise
> you may be reading garbage.
> 

Done.

> 
>> +      name = note + sizeof_Elf_Nhdr;
>> +      if (sectsize < namelen + sizeof_Elf_Nhdr
> 
>> +	  || namelen > sizeof (QNX_NOTE_NAME) + 1)

Removed "+ 1" here.

>> +	{
>> +	  /* Can not be QNX note.  */
>> +	  XDELETEVEC (note);
>> +	  return;
> 
> Thanks,
> Pedro Alves
> 
> 

And compare to exact expected length of the qnx name.
+      if (namelen == sizeof (QNX_NOTE_NAME)

+         && 0 == strcmp (name, QNX_NOTE_NAME))


Attached the latest version.

Thanks,

Aleksandar Ristovski