From 572e6dd578ac59b14fbce605af70cbebe6707af9 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sat, 19 Nov 2005 01:14:05 +0000 Subject: r11799: Added OpenSSH fix for "%.*s" format crash. From Darren Tucker Jeremy. (This used to be commit b7dee71f26b26e2aed4124c7de52fa6771ce40dd) --- source3/lib/snprintf.c | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) (limited to 'source3/lib/snprintf.c') diff --git a/source3/lib/snprintf.c b/source3/lib/snprintf.c index 633517def2..a3e4b06d47 100644 --- a/source3/lib/snprintf.c +++ b/source3/lib/snprintf.c @@ -89,6 +89,12 @@ * * Move #endif to make sure VA_COPY, LDOUBLE, etc are defined even * if the C library has some snprintf functions already. + * + * Darren Tucker (dtucker@zip.com.au) + * Fix bug allowing read overruns of the source string with "%.*s" + * Usually harmless unless the read runs outside the process' allocation + * (eg if your malloc does guard pages) in which case it will segfault. + * From OpenSSH. Also added test for same. **************************************************************/ #ifndef NO_CONFIG_H @@ -479,7 +485,7 @@ static void fmtstr(char *buffer, size_t *currlen, size_t maxlen, value = ""; } - for (strln = 0; value[strln]; ++strln); /* strlen */ + for (strln = 0; strln < max && value[strln]; ++strln); /* strlen */ padlen = min - strln; if (padlen < 0) padlen = 0; @@ -892,6 +898,7 @@ int smb_snprintf(char *str,size_t count,const char *fmt,...) { char buf1[1024]; char buf2[1024]; + char *buf3; char *fp_fmt[] = { "%1.1f", "%-1.5f", @@ -1001,6 +1008,20 @@ int smb_snprintf(char *str,size_t count,const char *fmt,...) } } +#define BUFSZ 2048 + + if ((buf3 = malloc(BUFSZ)) == NULL) { + fail++; + } else { + num++; + memset(buf3, 'a', BUFSZ); + snprintf(buf1, sizeof(buf1), "%.*s", 1, buf3); + if (strcmp(buf1, "a") != 0) { + printf("length limit buf1 '%s' expected 'a'\n", buf1); + fail++; + } + } + printf ("%d tests failed out of %d.\n", fail, num); printf("seeing how many digits we support\n"); -- cgit