emo/procps
1
0
Fork 0
Code Issues Pull Requests Packages Releases Activity

0076-proc/readproc.c: Harden vectorize_this_str().

Browse Source 
This detects an integer overflow of "strlen + 1", prevents an integer
overflow of "tot + adj + (2 * pSZ)", and avoids calling snprintf with a
string longer than INT_MAX. Truncate rather than fail, since the callers
do not expect a failure of this function.

---------------------------- adapted for newlib branch
. logic is now in pids.c
. former 'vectorize_this_str' is now 'pids_vectorize_this'

Signed-off-by: Jim Warner <james.warner@comcast.net>
This commit is contained in:
Qualys Security Advisory 1970-01-01 00:00:00 +00:00 committed by Craig Small
parent d9c0a3e36f
commit 1052091107
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
proc/pids.c
View File

@ -97,9 +97,10 @@ struct pids_info {
static char** pids_vectorize_this (const char* src) { static char** pids_vectorize_this (const char* src) {
#define pSZ (sizeof(char*)) #define pSZ (sizeof(char*))
char *cpy, **vec; char *cpy, **vec;
int adj, tot; size_t adj, tot;
tot = strlen(src) + 1; // prep for our vectors tot = strlen(src) + 1; // prep for our vectors
if (tot < 1 || tot >= INT_MAX) tot = INT_MAX-1; // integer overflow?
adj = (pSZ-1) - ((tot + pSZ-1) & (pSZ-1)); // calc alignment bytes adj = (pSZ-1) - ((tot + pSZ-1) & (pSZ-1)); // calc alignment bytes
cpy = calloc(1, tot + adj + (2 * pSZ)); // get new larger buffer cpy = calloc(1, tot + adj + (2 * pSZ)); // get new larger buffer
if (!cpy) return NULL; // oops, looks like ENOMEM if (!cpy) return NULL; // oops, looks like ENOMEM