0048-ps/output.c: Make sure all escape*() arguments are safe.
The SECURE_ESCAPE_ARGS() macro solves several potential problems (although we found no problematic calls to the escape*() functions in procps's code-base, but had to thoroughly review every call; and this is library code): 1/ off-by-one overflows if the size of the destination buffer is 0; 2/ buffer overflows if this size (or "maxroom") is negative; 3/ integer overflows (for example, "*maxcells+1"); 4/ always null-terminate the destination buffer (unless its size is 0). ---------------------------- adapted for newlib branch . formerly applied to proc/escape.c . function was moved to ps/output.c Signed-off-by: Jim Warner <james.warner@comcast.net>
This commit is contained in:
Qualys Security Advisory
-
committed by
Craig Small
parent
f0b245c794
commit
f44fe715bd
10
ps/output.c
10
ps/output.c
@ -110,9 +110,19 @@ static void get_memory_total()
|
|||||||
procps_meminfo_unref(&mem_info);
|
procps_meminfo_unref(&mem_info);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#define SECURE_ESCAPE_ARGS(dst, bytes, cells) do { \
|
||||||
|
if ((bytes) <= 0) return 0; \
|
||||||
|
*(dst) = '\0'; \
|
||||||
|
if ((bytes) >= INT_MAX) return 0; \
|
||||||
|
if ((cells) >= INT_MAX) return 0; \
|
||||||
|
if ((cells) <= 0) return 0; \
|
||||||
|
} while (0)
|
||||||
|
|
||||||
// copy an already 'escaped' string,
|
// copy an already 'escaped' string,
|
||||||
static int escaped_copy(char *restrict dst, const char *restrict src, int bufsize, int *maxroom){
|
static int escaped_copy(char *restrict dst, const char *restrict src, int bufsize, int *maxroom){
|
||||||
int n;
|
int n;
|
||||||
|
|
||||||
|
SECURE_ESCAPE_ARGS(dst, bufsize, *maxroom);
|
||||||
if (bufsize > *maxroom+1)
|
if (bufsize > *maxroom+1)
|
||||||
bufsize = *maxroom+1;
|
bufsize = *maxroom+1;
|
||||||
n = snprintf(dst, bufsize, "%s", src);
|
n = snprintf(dst, bufsize, "%s", src);
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user