diff options
author | Uwe Kleine-König <u.kleine-koenig@pengutronix.de> | 2011-02-18 17:04:55 +0100 |
---|---|---|
committer | Uwe Kleine-König <u.kleine-koenig@pengutronix.de> | 2011-02-18 17:04:55 +0100 |
commit | 4e3759b80102f0ea619f7dcda1ef8e9b95a88c97 (patch) | |
tree | 07981bd20d5b6647bb577fc912a59003b5952292 | |
parent | ea00cb53cc8ab0bd158dca4fa5f7c8968b34f244 (diff) | |
download | rt-tests-4e3759b80102f0ea619f7dcda1ef8e9b95a88c97.tar.gz |
new patch: kernvar() fix possible buffer overflow
Notice: this object is not reachable from any branch.
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Notice: this object is not reachable from any branch.
-rw-r--r-- | debian/patches/kernvar_fix_possible_buffer_overflow | 69 | ||||
-rw-r--r-- | debian/patches/series | 1 |
2 files changed, 70 insertions, 0 deletions
diff --git a/debian/patches/kernvar_fix_possible_buffer_overflow b/debian/patches/kernvar_fix_possible_buffer_overflow new file mode 100644 index 0000000..b69f99e --- /dev/null +++ b/debian/patches/kernvar_fix_possible_buffer_overflow @@ -0,0 +1,69 @@ +From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de> +Subject: kernvar(): fix possible buffer overflow in string handling + +strncat writes up to n+1 chars when n is passed as 3rd argument. So when +doing + strncpy(filename, fileprefix, sizeof(filename)); + strncat(filename, name, sizeof(filename) - strlen(fileprefix)); + +with strlen(fileprefix) + strlen(name) >= sizeof(filename) a buffer +overflow occurs. Addionally there is no check if filename is big enough. + +So convert to memcpy and handle filename not being big enough. + +Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de> +--- + src/backfire/sendme.c | 12 ++++++++++-- + src/cyclictest/cyclictest.c | 11 +++++++++-- + 2 files changed, 19 insertions(+), 4 deletions(-) + +--- a/src/backfire/sendme.c ++++ b/src/backfire/sendme.c +@@ -28,6 +28,7 @@ + #include <sched.h> + #include <string.h> + #include <time.h> ++#include <errno.h> + #include "rt-utils.h" + #include "rt-get_cpu.h" + +@@ -63,9 +64,16 @@ + char *fileprefix = get_debugfileprefix(); + int retval = 1; + int path; ++ size_t len_prefix = strlen(fileprefix), len_name = strlen(name); ++ ++ if (len_prefix + len_name + 1 > sizeof(filename)) { ++ errno = ENOMEM; ++ return 1; ++ } ++ ++ memcpy(filename, fileprefix, len_prefix); ++ memcpy(filename + len_prefix, name, len_name + 1); + +- strncpy(filename, fileprefix, sizeof(filename)); +- strncat(filename, name, sizeof(filename) - strlen(fileprefix)); + path = open(filename, mode); + if (path >= 0) { + if (mode == O_RDONLY) { +--- a/src/cyclictest/cyclictest.c ++++ b/src/cyclictest/cyclictest.c +@@ -199,9 +199,16 @@ + char filename[128]; + int retval = 1; + int path; ++ size_t len_prefix = strlen(fileprefix), len_name = strlen(name); ++ ++ if (len_prefix + len_name + 1 > sizeof(filename)) { ++ errno = ENOMEM; ++ return 1; ++ } ++ ++ memcpy(filename, fileprefix, len_prefix); ++ memcpy(filename + len_prefix, name, len_name + 1); + +- strncpy(filename, fileprefix, sizeof(filename)); +- strncat(filename, name, sizeof(filename) - strlen(fileprefix)); + path = open(filename, mode); + if (path >= 0) { + if (mode == O_RDONLY) { diff --git a/debian/patches/series b/debian/patches/series index d0dc06e..8f21407 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -2,3 +2,4 @@ install_hwlatdetect_into_sbindir modernize_backfire_Makefile install_backfire_Makefile debian_adapt_errormsg_on_failure_to_open_device +kernvar_fix_possible_buffer_overflow |