On Wed, Dec 4, 2024 at 11:26 AM Samuel Thibault <samuel.thiba...@gnu.org> wrote: > It's probably worth checking other _write methods in libstore/
That, and also glibc should make more efforts to be resilient against servers returning bogus read/write amounts, whether by mistake like here or maliciously. If we don't sanitize 'count', the data = (void *) ((char *) data + count); line in _IO_new_file_write doesn't look safe at all. That's an arbitrary memory disclosure and a crash/DoS in plain sight. Sergey
