proc/readproc.c: Harden stat2proc().

1/ Use a "size_t num" instead of an "unsigned num" (also, do not store
the return value of sscanf() into num, it was unused anyway).

2/ Check the return value of strchr() and strrchr().

3/ Never jump over the terminating null byte with "S = tmp + 2".
This commit is contained in:
Qualys Security Advisory 1970-01-01 00:00:00 +00:00 committed by Craig Small
parent 20269a4129
commit 344f6d3c0e

View File

@ -582,7 +582,7 @@ static void sd2proc(proc_t *restrict p) {
// Reads /proc/*/stat files, being careful not to trip over processes with // Reads /proc/*/stat files, being careful not to trip over processes with
// names like ":-) 1 2 3 4 5 6". // names like ":-) 1 2 3 4 5 6".
static void stat2proc(const char* S, proc_t *restrict P) { static void stat2proc(const char* S, proc_t *restrict P) {
unsigned num; size_t num;
char* tmp; char* tmp;
ENTER(0x160); ENTER(0x160);
@ -593,15 +593,19 @@ ENTER(0x160);
P->sched = -1; P->sched = -1;
P->nlwp = 0; P->nlwp = 0;
S = strchr(S, '(') + 1; S = strchr(S, '(');
if(unlikely(!S)) return;
S++;
tmp = strrchr(S, ')'); tmp = strrchr(S, ')');
if(unlikely(!tmp)) return;
if(unlikely(!tmp[1])) return;
num = tmp - S; num = tmp - S;
if(unlikely(num >= sizeof P->cmd)) num = sizeof P->cmd - 1; if(unlikely(num >= sizeof P->cmd)) num = sizeof P->cmd - 1;
memcpy(P->cmd, S, num); memcpy(P->cmd, S, num);
P->cmd[num] = '\0'; P->cmd[num] = '\0';
S = tmp + 2; // skip ") " S = tmp + 2; // skip ") "
num = sscanf(S, sscanf(S,
"%c " "%c "
"%d %d %d %d %d " "%d %d %d %d %d "
"%lu %lu %lu %lu %lu " "%lu %lu %lu %lu %lu "