Bug 11234 - __get_argv can overflow its return buffer
Summary: __get_argv can overflow its return buffer
Alias: None
Product: systemtap
Classification: Unclassified
Component: tapsets (show other bugs)
Version: unspecified
: P2 normal
Target Milestone: ---
Assignee: Josh Stone
Depends on:
Reported: 2010-01-28 22:02 UTC by Josh Stone
Modified: 2010-02-05 02:45 UTC (History)
0 users

See Also:
Last reconfirmed:


Note You need to log in before you can comment on or make changes to this bug.
Description Josh Stone 2010-01-28 22:02:03 UTC
__get_argv features this snippet:

  int rc, len = MAXSTRINGLEN;
  rc = strlcpy (str, buf, len);
  str += rc;
  len -= rc;

However, strlcpy returns the length of the input string, not the number of bytes
copied.  So it's possible to have rc > len, and then the subtraction will make
len negative.  Since strlcpy takes a size_t (unsigned), that len is cast to a
large positive number in the next iteration, so the buffer protection is
effectively destroyed.

__get_compat_argv is also broken in this way.
Comment 1 Josh Stone 2010-01-29 05:12:16 UTC
commit f754097
Comment 2 Josh Stone 2010-02-05 02:45:09 UTC
(In reply to comment #1)
> commit f754097

While this commit did seem to solve the issue at hand, we decided to rewrite
__get_argv in pure script mode.  (commit a2d399c8)