Project

General

Profile

Bug #12786

fix CTF pointer overrun

Added by John Levon about 1 month ago. Updated about 1 month ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
-
Start date:
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:

History

#1

Updated by John Levon about 1 month ago

via Nicolò Mazzucato:

" The problem arose when `p = "s"`, and `lp->ctl_prefix = "struct"`.
`strncmp("s","struct",1)` returns 0, because it checks only the first char.
The following line(137) was advancing `p(="s")` by 6, going over the terminator.
(the value of p can be user controlled)
"

#2

Updated by John Levon about 1 month ago

I ran the CTF test suite, a full build, did spot checks of svc.startd CTF, and ran some of the dtrace test suite

#3

Updated by Electric Monk about 1 month ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100

git commit d15d17d4231f87f1571fa6d585377206f360f667

commit  d15d17d4231f87f1571fa6d585377206f360f667
Author: Nicolò Mazzucato <nicomazz97@gmail.com>
Date:   2020-06-03T10:01:46.000Z

    12786 fix CTF pointer overrun
    Reviewed by: Toomas Soome <tsoome@me.com>
    Reviewed by: Robert Mustacchi <rm@fingolfin.org>
    Approved by: Dan McDonald <danmcd@joyent.com>

Also available in: Atom PDF