emo/procps
1
0
Fork 0
Code Issues Pull Requests Packages Releases Activity

0077-proc/readproc.c: Harden fill_cgroup_cvt().

Browse Source 
Check the return value of snprintf(), otherwise dst may point
out-of-bounds when it reaches the end of the dst_buffer (the snprintf()
always returns 1 in that case, even if there is not enough space left),
and vMAX becomes negative and is passed to snprintf() as a size_t.

---------------------------- adapted for newlib branch
. adapted via 'patch (without rejections)

Signed-off-by: Jim Warner <james.warner@comcast.net>
This commit is contained in:
Qualys Security Advisory 1970-01-01 00:00:00 +00:00 committed by Craig Small
parent 1052091107
commit ed463c7d88
1 changed files with 5 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
proc/readproc.c
View File

@ -805,7 +805,7 @@ static int read_unvectored(char *restrict const dst, unsigned sz, const char* wh
static int fill_cgroup_cvt (const char* directory, proc_t *restrict p) {
#define vMAX ( MAX_BUFSZ - (int)(dst - dst_buffer) )
char *src, *dst, *grp, *eob, *name;
int tot, x, whackable_int = MAX_BUFSZ;
int tot, x, whackable_int = MAX_BUFSZ, len;
*(dst = dst_buffer) = '\0'; // empty destination
tot = read_unvectored(src_buffer, MAX_BUFSZ, directory, "cgroup", '\0');
@ -817,7 +817,10 @@ static int fill_cgroup_cvt (const char* directory, proc_t *restrict p) {
#if 0
grp += strspn(grp, "0123456789:"); // jump past group number
#endif
dst += snprintf(dst, vMAX, "%s", (dst > dst_buffer) ? "," : "");
if (vMAX <= 1) break;
len = snprintf(dst, vMAX, "%s", (dst > dst_buffer) ? "," : "");
if (len < 0 || len >= vMAX) break;
dst += len;
dst += escape_str(dst, grp, vMAX, &whackable_int);
}
if (!(p->cgroup = strdup(dst_buffer[0] ? dst_buffer : "-")))