From 7efa1022483d205bcfb392d810b05684ae21055d Mon Sep 17 00:00:00 2001 From: Qualys Security Advisory Date: Thu, 1 Jan 1970 00:00:00 +0000 Subject: [PATCH] proc/escape.c: Prevent buffer overflows in escape_command(). This solves several problems: 1/ outbuf[1] was written to, but not outbuf[0], which was left uninitialized (well, SECURE_ESCAPE_ARGS() already fixes this, but do it explicitly as well); we know it is safe to write one byte to outbuf, because SECURE_ESCAPE_ARGS() guarantees it. 2/ If bytes was 1, the write to outbuf[1] was an off-by-one overflow. 3/ Do not call escape_str() with a 0 bufsize if bytes == overhead. 4/ Prevent various buffer overflows if bytes <= overhead. --- proc/escape.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/proc/escape.c b/proc/escape.c index 827337fe..82cd6821 100644 --- a/proc/escape.c +++ b/proc/escape.c @@ -217,11 +217,10 @@ int escape_command(char *restrict const outbuf, const proc_t *restrict const pp, if(pp->state=='Z') overhead += 10; // chars in " " else flags &= ~ESC_DEFUNCT; } - if(overhead + 1 >= *cells){ // if no room for even one byte of the command name - // you'd damn well better have _some_ space -// outbuf[0] = '-'; // Oct23 - outbuf[1] = '\0'; - return 1; + if(overhead + 1 >= *cells || // if no room for even one byte of the command name + overhead + 1 >= bytes){ + outbuf[0] = '\0'; + return 0; } if(flags & ESC_BRACKETS){ outbuf[end++] = '[';