From ed463c7d88429bef650e361eb833bd6fc1505e72 Mon Sep 17 00:00:00 2001 From: Qualys Security Advisory Date: Thu, 1 Jan 1970 00:00:00 +0000 Subject: [PATCH] 0077-proc/readproc.c: Harden fill_cgroup_cvt(). Check the return value of snprintf(), otherwise dst may point out-of-bounds when it reaches the end of the dst_buffer (the snprintf() always returns 1 in that case, even if there is not enough space left), and vMAX becomes negative and is passed to snprintf() as a size_t. ---------------------------- adapted for newlib branch . adapted via 'patch (without rejections) Signed-off-by: Jim Warner --- proc/readproc.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/proc/readproc.c b/proc/readproc.c index 72794d2b..80fa212c 100644 --- a/proc/readproc.c +++ b/proc/readproc.c @@ -805,7 +805,7 @@ static int read_unvectored(char *restrict const dst, unsigned sz, const char* wh static int fill_cgroup_cvt (const char* directory, proc_t *restrict p) { #define vMAX ( MAX_BUFSZ - (int)(dst - dst_buffer) ) char *src, *dst, *grp, *eob, *name; - int tot, x, whackable_int = MAX_BUFSZ; + int tot, x, whackable_int = MAX_BUFSZ, len; *(dst = dst_buffer) = '\0'; // empty destination tot = read_unvectored(src_buffer, MAX_BUFSZ, directory, "cgroup", '\0'); @@ -817,7 +817,10 @@ static int fill_cgroup_cvt (const char* directory, proc_t *restrict p) { #if 0 grp += strspn(grp, "0123456789:"); // jump past group number #endif - dst += snprintf(dst, vMAX, "%s", (dst > dst_buffer) ? "," : ""); + if (vMAX <= 1) break; + len = snprintf(dst, vMAX, "%s", (dst > dst_buffer) ? "," : ""); + if (len < 0 || len >= vMAX) break; + dst += len; dst += escape_str(dst, grp, vMAX, &whackable_int); } if (!(p->cgroup = strdup(dst_buffer[0] ? dst_buffer : "-")))