This is the mail archive of the
systemtap@sourceware.org
mailing list for the systemtap project.
[Bug runtime/22991] New: Invalid truncation of quoted strings
- From: "georg.schoelly at joesecurity dot org" <sourceware-bugzilla at sourceware dot org>
- To: systemtap at sourceware dot org
- Date: Wed, 21 Mar 2018 16:32:25 +0000
- Subject: [Bug runtime/22991] New: Invalid truncation of quoted strings
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=22991
Bug ID: 22991
Summary: Invalid truncation of quoted strings
Product: systemtap
Version: unspecified
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: runtime
Assignee: systemtap at sourceware dot org
Reporter: georg.schoelly at joesecurity dot org
Target Milestone: ---
Overview
========
The function _stp_text_str() incorrectly truncates some strings when
MAXSTRINGLEN is reached.
Example code
============
> probe oneshot {
> printf("%s\n", string_quoted("This is a \\test", 18));
> printf("%s\n", string_quoted("This is a \\test", 17));
> printf("%s\n", string_quoted("This is a \\test", 16));
> }
> /* same as string_quoted in tapset/string.stp with
> * an additional length parameter */
> function string_quoted:string (str:string, len:long) %{
> (void) _stp_text_str(STAP_RETVALUE,
> (char *)(uintptr_t)STAP_ARG_str,
> STAP_ARG_len, STAP_ARG_len, 1, 0, 0);
> %}
Expected Output
===============
> $ sudo stap -g systap_error.stp
> "This is a \\test"
> "This is a \\"...
> "This is a "...
Actual Output
=============
> $ sudo stap -g systap_error.stp
> "This is a \\test"
> "This is a \\"...
> "This is a \"... <----- notice the broken escaped char
Discussion
==========
Having \" makes it impossible to parse the strings correctly for all edge
cases.
It can also result in truncated unicode chars, such as \U12345678.
The problem lies in runtime/stp_string.c where strings are truncated without
taking into account any escaped characters.
A solution
==========
https://sourceware.org/git/gitweb.cgi?p=systemtap.git;a=blob;f=runtime/stp_string.c#l152
I think the simplest fix is to decrease the max string length. Change:
> outlen = max(outlen, 5) - 2;
to
> outlen = max(outlen, 5) - 5; /* 5 chars for quotes and maybe "..." */
and
> if (quoted) {
> if (c && inlen > 0) {
> out = out - 3 + outlen;
> *out++ = '"';
> *out++ = '.';
> *out++ = '.';
> *out++ = '.';
> } else
> *out++ = '"';
> }
to
> if (quoted) {
> /* we made sure earlier there's enough space for 4 more chars */
> *out++ = '"';
> if (c && inlen > 0) { /* string truncated */
> *out++ = '.';
> *out++ = '.';
> *out++ = '.';
> }
> }
(That last `c` should probably be `(c == 0 && !buffer)` because buffers do not
end on \0.)
--
You are receiving this mail because:
You are the assignee for the bug.