skill: Prevent multiple overflows in ENLIST().
First problem: saved_argc was used to calculate the size of the array, but saved_argc was never initialized. This triggers an immediate heap- based buffer overflow: $ skill -c0 -c0 -c0 -c0 Segmentation fault (core dumped) Second problem: saved_argc was not the upper bound anyway, because one argument can ENLIST() several times (for example, in parse_namespaces()) and overflow the array as well. Third problem: integer overflow of the size of the array.
This commit is contained in:
parent
56e696ca5f
commit
858df7cc89
6
skill.c
6
skill.c
@ -68,13 +68,13 @@ static int ns_pid;
|
|||||||
static proc_t ns_task;
|
static proc_t ns_task;
|
||||||
|
|
||||||
#define ENLIST(thing,addme) do{ \
|
#define ENLIST(thing,addme) do{ \
|
||||||
if(!thing##s) thing##s = xmalloc(sizeof(*thing##s)*saved_argc); \
|
if(thing##_count < 0 || (size_t)thing##_count >= INT_MAX / sizeof(*thing##s)) \
|
||||||
|
xerrx(EXIT_FAILURE, _("integer overflow")); \
|
||||||
|
thing##s = xrealloc(thing##s, sizeof(*thing##s)*(thing##_count+1)); \
|
||||||
thing##s[thing##_count++] = addme; \
|
thing##s[thing##_count++] = addme; \
|
||||||
}while(0)
|
}while(0)
|
||||||
|
|
||||||
static int my_pid;
|
static int my_pid;
|
||||||
static int saved_argc;
|
|
||||||
|
|
||||||
static int sig_or_pri;
|
static int sig_or_pri;
|
||||||
|
|
||||||
enum {
|
enum {
|
||||||
|
Loading…
Reference in New Issue
Block a user