From 344f6d3c0e0b2ff923089b5318f3a69c3d5b7f46 Mon Sep 17 00:00:00 2001 From: Qualys Security Advisory Date: Thu, 1 Jan 1970 00:00:00 +0000 Subject: [PATCH] proc/readproc.c: Harden stat2proc(). 1/ Use a "size_t num" instead of an "unsigned num" (also, do not store the return value of sscanf() into num, it was unused anyway). 2/ Check the return value of strchr() and strrchr(). 3/ Never jump over the terminating null byte with "S = tmp + 2". --- proc/readproc.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/proc/readproc.c b/proc/readproc.c index ca1ebb03..bda8d86b 100644 --- a/proc/readproc.c +++ b/proc/readproc.c @@ -582,7 +582,7 @@ static void sd2proc(proc_t *restrict p) { // Reads /proc/*/stat files, being careful not to trip over processes with // names like ":-) 1 2 3 4 5 6". static void stat2proc(const char* S, proc_t *restrict P) { - unsigned num; + size_t num; char* tmp; ENTER(0x160); @@ -593,15 +593,19 @@ ENTER(0x160); P->sched = -1; P->nlwp = 0; - S = strchr(S, '(') + 1; + S = strchr(S, '('); + if(unlikely(!S)) return; + S++; tmp = strrchr(S, ')'); + if(unlikely(!tmp)) return; + if(unlikely(!tmp[1])) return; num = tmp - S; if(unlikely(num >= sizeof P->cmd)) num = sizeof P->cmd - 1; memcpy(P->cmd, S, num); P->cmd[num] = '\0'; S = tmp + 2; // skip ") " - num = sscanf(S, + sscanf(S, "%c " "%d %d %d %d %d " "%lu %lu %lu %lu %lu "