From ec0cb25af6604ea908a4ed425bae31d1fbd67e86 Mon Sep 17 00:00:00 2001 From: Qualys Security Advisory Date: Thu, 1 Jan 1970 00:00:00 +0000 Subject: [PATCH] 0071-proc/readproc.c: Harden supgrps_from_supgids(). 1/ Prevent an integer overflow of t. 2/ Avoid an infinite loop if s contains characters other than comma, spaces, +, -, and digits. 3/ Handle all possible return values of snprintf(). ---------------------------- adapted for newlib branch . we can't use xrealloc(), so we use realloc() instead . and must account for a mem failure via a return of 1 Signed-off-by: Jim Warner --- proc/readproc.c | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/proc/readproc.c b/proc/readproc.c index a53f0775..ca5b16f4 100644 --- a/proc/readproc.c +++ b/proc/readproc.c @@ -478,11 +478,25 @@ static int supgrps_from_supgids (proc_t *p) { s = p->supgid; t = 0; do { - if (',' == *s) ++s; - g = pwcache_get_group((uid_t)strtol(s, &s, 10)); - if (!(p->supgrp = realloc(p->supgrp, P_G_SZ+t+2))) + const int max = P_G_SZ+2; + char *end = NULL; + gid_t gid; + int len; + + while (',' == *s) ++s; + gid = strtol(s, &end, 10); + if (end <= s) break; + s = end; + g = pwcache_get_group(gid); + + if ((t >= INT_MAX - max) + || (!(p->supgrp = realloc(p->supgrp, t + max)))) return 1; - t += snprintf(p->supgrp+t, P_G_SZ+2, "%s%s", t ? "," : "", g); + + len = snprintf(p->supgrp+t, max, "%s%s", t ? "," : "", g); + if (len <= 0) (p->supgrp+t)[len = 0] = '\0'; + else if (len >= max) len = max-1; + t += len; } while (*s); return 0;