diff options
author | Jeremy Allison <jra@samba.org> | 2005-11-19 01:12:10 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:46:29 -0500 |
commit | 931b1974a27b929b5b40d65d986f6381a0bc0daa (patch) | |
tree | ca58de925291386d020a034d7f2bca758aaa6429 | |
parent | 771d4fab26c8580cbc186caee067884a314ecbc7 (diff) | |
download | samba-931b1974a27b929b5b40d65d986f6381a0bc0daa.tar.gz samba-931b1974a27b929b5b40d65d986f6381a0bc0daa.tar.bz2 samba-931b1974a27b929b5b40d65d986f6381a0bc0daa.zip |
r11797: Added OpenSSH fix for "%.*s" format crash. From Darren Tucker
<dtucker@zip.com.au>
Jeremy.
(This used to be commit a2006c162833f8e0513c2f2744688960c04b7e67)
-rw-r--r-- | source4/lib/replace/snprintf.c | 23 |
1 files changed, 22 insertions, 1 deletions
diff --git a/source4/lib/replace/snprintf.c b/source4/lib/replace/snprintf.c index adfd3c4d78..67b00b3d84 100644 --- a/source4/lib/replace/snprintf.c +++ b/source4/lib/replace/snprintf.c @@ -53,6 +53,12 @@ * got rid of fcvt code (twas buggy and made testing harder) * added C99 semantics * + * Darren Tucker (dtucker@zip.com.au) + * Fix bug allowing read overruns of the source string with "%.*s" + * Usually harmless unless the read runs outside the process' allocation + * (eg if your malloc does guard pages) in which case it will segfault. + * From OpenSSH. Also added test for same. + * **************************************************************/ #ifndef NO_CONFIG_H /* for some tests */ @@ -436,7 +442,7 @@ static void fmtstr(char *buffer, size_t *currlen, size_t maxlen, value = "<NULL>"; } - for (strln = 0; value[strln]; ++strln); /* strlen */ + for (strln = 0; strln < max && value[strln]; ++strln); /* strlen */ padlen = min - strln; if (padlen < 0) padlen = 0; @@ -851,6 +857,7 @@ static void dopr_outch(char *buffer, size_t *currlen, size_t maxlen, char c) { char buf1[1024]; char buf2[1024]; + char *buf3; char *fp_fmt[] = { "%1.1f", "%-1.5f", @@ -959,6 +966,20 @@ static void dopr_outch(char *buffer, size_t *currlen, size_t maxlen, char c) } } +#define BUFSZ 2048 + + if ((buf3 = malloc(BUFSZ)) == NULL) { + fail++; + } else { + num++; + memset(buf3, 'a', BUFSZ); + snprintf(buf1, sizeof(buf1), "%.*s", 1, buf3); + if (strcmp(buf1, "a") != 0) { + printf("length limit buf1 '%s' expected 'a'\n", buf1); + fail++; + } + } + printf ("%d tests failed out of %d.\n", fail, num); printf("seeing how many digits we support\n"); |