From f44fe715bd621846ee2a490b05a5c9b98b662045 Mon Sep 17 00:00:00 2001 From: Qualys Security Advisory Date: Thu, 1 Jan 1970 00:00:00 +0000 Subject: [PATCH] 0048-ps/output.c: Make sure all escape*() arguments are safe. The SECURE_ESCAPE_ARGS() macro solves several potential problems (although we found no problematic calls to the escape*() functions in procps's code-base, but had to thoroughly review every call; and this is library code): 1/ off-by-one overflows if the size of the destination buffer is 0; 2/ buffer overflows if this size (or "maxroom") is negative; 3/ integer overflows (for example, "*maxcells+1"); 4/ always null-terminate the destination buffer (unless its size is 0). ---------------------------- adapted for newlib branch . formerly applied to proc/escape.c . function was moved to ps/output.c Signed-off-by: Jim Warner --- ps/output.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/ps/output.c b/ps/output.c index c0f59068..a75e234c 100644 --- a/ps/output.c +++ b/ps/output.c @@ -110,9 +110,19 @@ static void get_memory_total() procps_meminfo_unref(&mem_info); } +#define SECURE_ESCAPE_ARGS(dst, bytes, cells) do { \ + if ((bytes) <= 0) return 0; \ + *(dst) = '\0'; \ + if ((bytes) >= INT_MAX) return 0; \ + if ((cells) >= INT_MAX) return 0; \ + if ((cells) <= 0) return 0; \ +} while (0) + // copy an already 'escaped' string, static int escaped_copy(char *restrict dst, const char *restrict src, int bufsize, int *maxroom){ int n; + + SECURE_ESCAPE_ARGS(dst, bufsize, *maxroom); if (bufsize > *maxroom+1) bufsize = *maxroom+1; n = snprintf(dst, bufsize, "%s", src);