Bug 11234 - __get_argv can overflow its return buffer
Summary: __get_argv can overflow its return buffer
Status: RESOLVED FIXED
Alias: None
Product: systemtap
Classification: Unclassified
Component: tapsets (show other bugs)
Version: unspecified
: P2 normal
Target Milestone: ---
Assignee: Josh Stone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-01-28 22:02 UTC by Josh Stone
Modified: 2010-02-05 02:45 UTC (History)
0 users

See Also:
Host:
Target:
Build:
Last reconfirmed:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Josh Stone 2010-01-28 22:02:03 UTC 
__get_argv features this snippet:

  int rc, len = MAXSTRINGLEN;
...
  rc = strlcpy (str, buf, len);
  str += rc;
  len -= rc;

However, strlcpy returns the length of the input string, not the number of bytes
copied.  So it's possible to have rc > len, and then the subtraction will make
len negative.  Since strlcpy takes a size_t (unsigned), that len is cast to a
large positive number in the next iteration, so the buffer protection is
effectively destroyed.

__get_compat_argv is also broken in this way.
Comment 1 Josh Stone 2010-01-29 05:12:16 UTC 
commit f754097
Comment 2 Josh Stone 2010-02-05 02:45:09 UTC 
(In reply to comment #1)
> commit f754097

While this commit did seem to solve the issue at hand, we decided to rewrite
__get_argv in pure script mode.  (commit a2d399c8)