From 1836e84e94835c849172d410c67464c9a8478845 Mon Sep 17 00:00:00 2001 From: Joey Schulze Date: Fri, 16 Jul 2004 06:48:27 +0000 Subject: [PATCH] =?UTF-8?q?Ulf=20H=C3=A4rnhammar=20?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Added boundary check for fscanf() in InitKsyms() and CheckMapVersion() to prevent an unintended crash when reading an incorrect System.map. Hello, I have discovered a potential crash bug in sysklogd. The klogd daemon doesn't handle really malformed System.map files very well. It has two fscanf() calls with "%s"format strings that stores to char sym[512] arrays. This causes a crash if the string field in the file is longer than that. Despite being a buffer overflow, this is not a security problem, as only root can change the System.map file. Nevertheless, I think it is worth fixing, as the Right Thing for a program should be not to assume anything about its input and to handle various problems well. --- ksym.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/ksym.c b/ksym.c index a9f1a32..d08903f 100644 --- a/ksym.c +++ b/ksym.c @@ -109,6 +109,11 @@ * Thu Apr 29 18:07:16 CEST 2004: Dmitry Levin * Close file descriptor in FindSymbolFile() in order not to leak * file descriptors. + * + * Fri Jul 16 08:32:49 CEST 2004: Ulf Härnhammar + * Added boundary check for fscanf() in InitKsyms() and + * CheckMapVersion() to prevent an unintended crash when reading + * an incorrect System.map. */ @@ -240,7 +245,7 @@ extern int InitKsyms(mapfile) */ while ( !feof(sym_file) ) { - if ( fscanf(sym_file, "%lx %c %s\n", &address, &type, sym) + if ( fscanf(sym_file, "%lx %c %511s\n", &address, &type, sym) != 3 ) { Syslog(LOG_ERR, "Error in symbol table input (#1)."); @@ -539,7 +544,7 @@ static int CheckMapVersion(fname) version = 0; while ( !feof(sym_file) && (version == 0) ) { - if ( fscanf(sym_file, "%lx %c %s\n", &address, \ + if ( fscanf(sym_file, "%lx %c %511s\n", &address, \ &type, sym) != 3 ) { Syslog(LOG_ERR, "Error in symbol table input (#2).");