src/librc/librc-daemon.c: fix buffer overrun in pid_is_argv
The contents of /proc/<pid>/cmdline are read into
a stack buffer using
bytes = read(fd, buffer, sizeof(buffer));
followed by appending a null terminator to the buffer with
buffer[bytes] = '\0';
If bytes == sizeof(buffer), then this write is out-of-bounds.
Refactor the code to use rc_getfile instead, since PATH_MAX
is not the maximum size of /proc/<pid>/cmdline. (I hit this
issue in practice while compiling Linux; it tripped the
stack-smashing protector.)
This is roughly the same buffer overflow condition
that was fixed by commit 0ddee9b7d2
This fixes #269.
This commit is contained in:
parent
97e74f9734
commit
084877eb52
@ -48,34 +48,40 @@ pid_is_exec(pid_t pid, const char *exec)
|
||||
static bool
|
||||
pid_is_argv(pid_t pid, const char *const *argv)
|
||||
{
|
||||
char *buffer = NULL;
|
||||
char *cmdline = NULL;
|
||||
int fd;
|
||||
char buffer[PATH_MAX];
|
||||
char *p;
|
||||
ssize_t bytes;
|
||||
size_t bytes;
|
||||
bool rc;
|
||||
|
||||
xasprintf(&cmdline, "/proc/%u/cmdline", pid);
|
||||
if ((fd = open(cmdline, O_RDONLY)) < 0) {
|
||||
if (!rc_getfile(cmdline, &buffer, &bytes)) {
|
||||
free(cmdline);
|
||||
return false;
|
||||
}
|
||||
bytes = read(fd, buffer, sizeof(buffer));
|
||||
close(fd);
|
||||
free(cmdline);
|
||||
if (bytes == -1)
|
||||
if (bytes <= 0) {
|
||||
if (buffer)
|
||||
free(buffer);
|
||||
return false;
|
||||
|
||||
buffer[bytes] = '\0';
|
||||
}
|
||||
p = buffer;
|
||||
rc = true;
|
||||
while (*argv) {
|
||||
if (strcmp(*argv, p) != 0)
|
||||
return false;
|
||||
if (strcmp(*argv, p) != 0) {
|
||||
rc = false;
|
||||
break;
|
||||
}
|
||||
|
||||
argv++;
|
||||
p += strlen(p) + 1;
|
||||
if ((unsigned)(p - buffer) > sizeof(buffer))
|
||||
return false;
|
||||
if ((unsigned)(p - buffer) >= bytes) {
|
||||
rc = false;
|
||||
break;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
free(buffer);
|
||||
return rc;
|
||||
}
|
||||
|
||||
RC_PIDLIST *
|
||||
|
Loading…
Reference in New Issue
Block a user