Actions
Bug #11826
closed
Buffer overflow and memory leak in "libbsm"
Start date:
Due date:
% Done:
100%
Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:
External Bug:
Description
The code for loading the event map in "libbsm" has at least two serious bugs.
1.) There is a buffer overflow in the load_map() function in "usr/src/lib/libbsm/common/au_preselect.c":
static int
load_map()
{
register au_event_ent_t *evp;
event_count = 0;
setauevent();
while ((evp = getauevent()) != (au_event_ent_t *)NULL) {
if (event_count > alloc_count) <========
if (realloc_map() == -1) {
endauevent();
return (-1);
}
event_map[event_count].event = evp->ae_number;
event_map[event_count].class = evp->ae_class;
++event_count;
}
endauevent();
return (0);
}
It tries to store one more element in the allocated buffer that there is room for.
2.) The code for resizing the map will leak memory if the resize fails and lead to later crashes:
static int
realloc_map()
{
register size_t rsize;
rsize = sizeof (event_map_t) * (alloc_count + ALLOC_INCR);
if ((event_map = (event_map_t *)
realloc(event_map, rsize)) == (event_map_t *)NULL)
return (-1);
return (0);
}
Calling the function reallocf() here would IMHO not be the correct solution as we want to keep the old map.
Updated by Matthias Scheler over 3 years ago
- Status changed from New to In Progress
- Assignee set to Matthias Scheler
Updated by Electric Monk over 3 years ago
- Status changed from In Progress to Closed
- % Done changed from 0 to 100
git commit b9c9c3595312927fb362936529c5679117843b93
commit b9c9c3595312927fb362936529c5679117843b93
Author: Matthias Scheler <matthias.scheler@wdc.com>
Date: 2019-10-24T21:23:26.000Z
11826 Buffer overflow and memory leak in "libbsm"
Reviewed by: Andy Fiddaman <andy@omniosce.org>
Reviewed by: Robert Mustacchi <rm@fingolfin.org>
Reviewed by: Toomas Soome <tsoome@me.com>
Approved by: Dan McDonald <danmcd@joyent.com>
Actions