summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2005-11-19 01:14:05 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 11:05:28 -0500
commit572e6dd578ac59b14fbce605af70cbebe6707af9 (patch)
tree5e00f438bdae234f98cc28fcef95b294ffb7dbc0
parent9be0ce442285a0f63e6c226f6cf07d05a3f20021 (diff)
downloadsamba-572e6dd578ac59b14fbce605af70cbebe6707af9.tar.gz
samba-572e6dd578ac59b14fbce605af70cbebe6707af9.tar.bz2
samba-572e6dd578ac59b14fbce605af70cbebe6707af9.zip
r11799: Added OpenSSH fix for "%.*s" format crash. From Darren Tucker
<dtucker@zip.com.au> Jeremy. (This used to be commit b7dee71f26b26e2aed4124c7de52fa6771ce40dd)
-rw-r--r--source3/lib/snprintf.c23
1 files changed, 22 insertions, 1 deletions
diff --git a/source3/lib/snprintf.c b/source3/lib/snprintf.c
index 633517def2..a3e4b06d47 100644
--- a/source3/lib/snprintf.c
+++ b/source3/lib/snprintf.c
@@ -89,6 +89,12 @@
*
* Move #endif to make sure VA_COPY, LDOUBLE, etc are defined even
* if the C library has some snprintf functions already.
+ *
+ * Darren Tucker (dtucker@zip.com.au)
+ * Fix bug allowing read overruns of the source string with "%.*s"
+ * Usually harmless unless the read runs outside the process' allocation
+ * (eg if your malloc does guard pages) in which case it will segfault.
+ * From OpenSSH. Also added test for same.
**************************************************************/
#ifndef NO_CONFIG_H
@@ -479,7 +485,7 @@ static void fmtstr(char *buffer, size_t *currlen, size_t maxlen,
value = "<NULL>";
}
- for (strln = 0; value[strln]; ++strln); /* strlen */
+ for (strln = 0; strln < max && value[strln]; ++strln); /* strlen */
padlen = min - strln;
if (padlen < 0)
padlen = 0;
@@ -892,6 +898,7 @@ int smb_snprintf(char *str,size_t count,const char *fmt,...)
{
char buf1[1024];
char buf2[1024];
+ char *buf3;
char *fp_fmt[] = {
"%1.1f",
"%-1.5f",
@@ -1001,6 +1008,20 @@ int smb_snprintf(char *str,size_t count,const char *fmt,...)
}
}
+#define BUFSZ 2048
+
+ if ((buf3 = malloc(BUFSZ)) == NULL) {
+ fail++;
+ } else {
+ num++;
+ memset(buf3, 'a', BUFSZ);
+ snprintf(buf1, sizeof(buf1), "%.*s", 1, buf3);
+ if (strcmp(buf1, "a") != 0) {
+ printf("length limit buf1 '%s' expected 'a'\n", buf1);
+ fail++;
+ }
+ }
+
printf ("%d tests failed out of %d.\n", fail, num);
printf("seeing how many digits we support\n");