0027-skill: Prevent multiple overflows in ENLIST().

First problem: saved_argc was used to calculate the size of the array, but saved_argc was never initialized. This triggers an immediate heap- based buffer overflow: $ skill -c0 -c0 -c0 -c0 Segmentation fault (core dumped) Second problem: saved_argc was not the upper bound anyway, because one argument can ENLIST() several times (for example, in parse_namespaces()) and overflow the array as well. Third problem: integer overflow of the size of the array.
1970-01-01 00:00:00 +00:00 · 1970-01-01 00:00:00 +00:00 · a016a43b53
commit a016a43b53
parent 3f75d105b9
1 changed files with 3 additions and 2 deletions
--- a/skill.c
+++ b/skill.c
@ -65,7 +65,9 @@ static struct procps_namespaces match_namespaces;
 static int ns_flags = 0x3f;

 #define ENLIST(thing,addme) do{ \
-if(!thing##s) thing##s = xmalloc(sizeof(*thing##s)*saved_argc); \
+if(thing##_count < 0 || (size_t)thing##_count >= INT_MAX / sizeof(*thing##s)) \
+	xerrx(EXIT_FAILURE, _("integer overflow")); \
+thing##s = xrealloc(thing##s, sizeof(*thing##s)*(thing##_count+1)); \
 thing##s[thing##_count++] = addme; \
 }while(0)

@ -82,7 +84,6 @@ enum rel_items {
    EU_PID, EU_EUID, EU_EUSER, EU_TTY, EU_TTYNAME, EU_CMD};

 static int my_pid;
-static int saved_argc;

 static int sig_or_pri;