Bug 11234

Summary: __get_argv can overflow its return buffer
Product: systemtap Reporter: Josh Stone <jistone>
Component: tapsetsAssignee: Josh Stone <jistone>
Status: RESOLVED FIXED    
Severity: normal    
Priority: P2    
Version: unspecified   
Target Milestone: ---   
Host: Target:
Build: Last reconfirmed:

Description Josh Stone 2010-01-28 22:02:03 UTC 
__get_argv features this snippet:

  int rc, len = MAXSTRINGLEN;
...
  rc = strlcpy (str, buf, len);
  str += rc;
  len -= rc;

However, strlcpy returns the length of the input string, not the number of bytes
copied.  So it's possible to have rc > len, and then the subtraction will make
len negative.  Since strlcpy takes a size_t (unsigned), that len is cast to a
large positive number in the next iteration, so the buffer protection is
effectively destroyed.

__get_compat_argv is also broken in this way.
Comment 1 Josh Stone 2010-01-29 05:12:16 UTC 
commit f754097
Comment 2 Josh Stone 2010-02-05 02:45:09 UTC 
(In reply to comment #1)
> commit f754097

While this commit did seem to solve the issue at hand, we decided to rewrite
__get_argv in pure script mode.  (commit a2d399c8)