top: address 'show_special()' o-o-b read/write concern

This patch addresses a potential (but unlikely) buffer overflow by reducing, if necessary, a memcpy length by 3 bytes to provide for an eol '\0' and 2 unused buffer positions which also might receive the '\0' character. [ note to future analysis tool: just because you see ] [ binary data being manipulated in the routine, that ] [ doesn't mean such function was passed binary data! ] Reference(s): . original qualys patch 0116-top-Fix-out-of-bounds-read-write-in-show_special.patch Signed-off-by: Jim Warner <james.warner@comcast.net>
2018-06-02 00:00:00 -05:00 · 2018-06-02 00:00:00 -05:00 · 8b94d11585
commit 8b94d11585
parent 085351a0ee
1 changed files with 14 additions and 5 deletions
--- a/top/top.c
+++ b/top/top.c
@ -752,7 +752,7 @@ static void show_special (int interact, const char *glob) {
  /* note: the following is for documentation only,
           the real captab is now found in a group's WIN_t !
     +------------------------------------------------------+
-     | char *captab[] = {                 :   Cap's/Delim's |
+     | char *captab[] = {                 :   Cap's = Index |
     |   Cap_norm, Cap_norm,              =   \000, \001,   |
     |   cap_bold, capclr_sum,            =   \002, \003,   |
     |   capclr_msg, capclr_pmt,          =   \004, \005,   |
@ -762,9 +762,16 @@ static void show_special (int interact, const char *glob) {
     +------------------------------------------------------+ */
  /* ( Pssst, after adding the termcap transitions, row may )
     ( exceed 300+ bytes, even in an 80x24 terminal window! )
-     ( And if we're no longer guaranteed lines created only )
-     ( by top, we'll need larger buffs plus some protection )
-     ( against overrunning them with this 'lin_end - glob'. ) */
+     ( Shown here are the former buffer size specifications )
+     ( char tmp[SMLBUFSIZ], lin[MEDBUFSIZ], row[LRGBUFSIZ]. )
+     ( So now we use larger buffers and a little protection )
+     ( against overrunning them with this 'lin_end - glob'. )
+
+     ( That was uncovered during 'Inspect' development when )
+     ( this guy was being considered for a supporting role. )
+     ( However, such an approach was abandoned. As a result )
+     ( this function is called only with a glob under top's )
+     ( control and never containing any 'raw/binary' chars! ) */
   char tmp[LRGBUFSIZ], lin[LRGBUFSIZ], row[ROWMAXSIZ];
   char *rp, *lin_end, *sub_beg, *sub_end;
   int room;
@ -772,7 +779,7 @@ static void show_special (int interact, const char *glob) {
   // handle multiple lines passed in a bunch
   while ((lin_end = strchr(glob, '\n'))) {
     #define myMIN(a,b) (((a) < (b)) ? (a) : (b))
-      size_t lessor = myMIN((size_t)(lin_end - glob), sizeof(lin) -1);
+      size_t lessor = myMIN((size_t)(lin_end - glob), sizeof(lin) -3);

      // create a local copy we can extend and otherwise abuse
      memcpy(lin, glob, lessor);
@ -787,6 +794,8 @@ static void show_special (int interact, const char *glob) {
         if ('~' == ch) ch = *(sub_end + 1) - '0';
         switch (ch) {
            case 0:                    // no end delim, captab makes normal
+               // only possible when '\n' was NOT preceeded with a '~#' sequence
+               // ( '~1' thru '~8' is valid range, '~0' is never actually used )
               *(sub_end + 1) = '\0';  // extend str end, then fall through
               *(sub_end + 2) = '\0';  // ( +1 optimization for usual path )
            case 1: case 2: case 3: case 4: