[strongSwan-dev] [PATCH] printf-hook-builtin: fix invalid memory access
Timo Teräs
timo.teras at iki.fi
Sun Jul 26 14:22:02 CEST 2015
When precision is given for a string, we must not run unbounded
strlen() as it will read beyong given length. It might even cause
creash if the given pointer is near end of heap or mapping.
Fixes numerous valgrind errors such as:
==19215== Invalid read of size 1
==19215== at 0x52D36C6: builtin_vsnprintf (printf_hook_builtin.c:853)
==19215== by 0x52D40A8: builtin_snprintf (printf_hook_builtin.c:1084)
==19215== by 0x52CE464: dntoa (identification.c:337)
==19215== by 0x52CE464: identification_printf_hook (identification.c:837)
==19215== by 0x52D3DAA: builtin_vsnprintf (printf_hook_builtin.c:1010)
==19215== by 0x57040EB: vlog (bus.c:388)
==19215== by 0x570427D: log_ (bus.c:430)
==19215== by 0xA8445D3: load_x509_ca (stroke_cred.c:416)
==19215== by 0xA8445D3: load_certdir (stroke_cred.c:537)
==19215== by 0xA846A95: load_certs (stroke_cred.c:1353)
==19215== by 0xA846A95: stroke_cred_create (stroke_cred.c:1475)
==19215== by 0xA84073E: stroke_socket_create (stroke_socket.c:782)
==19215== by 0xA83F27C: register_stroke (stroke_plugin.c:53)
==19215== by 0x52C3125: load_feature (plugin_loader.c:716)
==19215== by 0x52C3125: load_provided (plugin_loader.c:778)
==19215== by 0x52C3A20: load_features (plugin_loader.c:799)
==19215== by 0x52C3A20: load_plugins (plugin_loader.c:1159)
==19215== Address 0x50cdb42 is 0 bytes after a block of size 2 alloc'd
==19215== at 0x4C919FE: malloc (vg_replace_malloc.c:296)
==19215== by 0x52CD198: chunk_printable (chunk.c:759)
==19215== by 0x52CE442: dntoa (identification.c:334)
==19215== by 0x52CE442: identification_printf_hook (identification.c:837)
==19215== by 0x52D3DAA: builtin_vsnprintf (printf_hook_builtin.c:1010)
==19215== by 0x57040EB: vlog (bus.c:388)
==19215== by 0x570427D: log_ (bus.c:430)
==19215== by 0xA8445D3: load_x509_ca (stroke_cred.c:416)
==19215== by 0xA8445D3: load_certdir (stroke_cred.c:537)
==19215== by 0xA846A95: load_certs (stroke_cred.c:1353)
==19215== by 0xA846A95: stroke_cred_create (stroke_cred.c:1475)
==19215== by 0xA84073E: stroke_socket_create (stroke_socket.c:782)
==19215== by 0xA83F27C: register_stroke (stroke_plugin.c:53)
==19215== by 0x52C3125: load_feature (plugin_loader.c:716)
==19215== by 0x52C3125: load_provided (plugin_loader.c:778)
==19215== by 0x52C3A20: load_features (plugin_loader.c:799)
==19215== by 0x52C3A20: load_plugins (plugin_loader.c:1159)
Signed-off-by: Timo Teräs <timo.teras at iki.fi>
---
src/libstrongswan/utils/printf_hook/printf_hook_builtin.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/libstrongswan/utils/printf_hook/printf_hook_builtin.c b/src/libstrongswan/utils/printf_hook/printf_hook_builtin.c
index 466c673..bf1727f 100644
--- a/src/libstrongswan/utils/printf_hook/printf_hook_builtin.c
+++ b/src/libstrongswan/utils/printf_hook/printf_hook_builtin.c
@@ -15,6 +15,7 @@
/**
* Copyright (C) 2002-2006 H. Peter Anvin
+ * Copyright (C) 2015 Timo Teräs
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
@@ -843,14 +844,14 @@ int builtin_vsnprintf(char *buffer, size_t n, const char *format, va_list ap)
/* String */
sarg = va_arg(ap, const char *);
sarg = sarg ? sarg : "(null)";
- slen = strlen(sarg);
+ slen = prec ? strnlen(sarg, prec) : strlen(sarg);
goto is_string;
}
case 'm':
{
/* glibc error string */
sarg = strerror(errno);
- slen = strlen(sarg);
+ slen = prec ? strnlen(sarg, prec) : strlen(sarg);
goto is_string;
}
is_string:
--
2.4.6
More information about the Dev
mailing list