Project

General

Profile

Actions
Copy link

Bug #12786

closed

fix CTF pointer overrun

Added by John Levon over 3 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
John Levon
Category:
-
Start date:
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:
External Bug:
Actions
Copy link
 #1

Updated by John Levon over 3 years ago

via Nicolò Mazzucato:

" The problem arose when `p = "s"`, and `lp->ctl_prefix = "struct"`.
`strncmp("s","struct",1)` returns 0, because it checks only the first char.
The following line(137) was advancing `p(="s")` by 6, going over the terminator.
(the value of p can be user controlled)
"

Actions
Copy link
 #2

Updated by John Levon over 3 years ago

I ran the CTF test suite, a full build, did spot checks of svc.startd CTF, and ran some of the dtrace test suite

Actions
Copy link
 #3

Updated by Electric Monk over 3 years ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100

git commit d15d17d4231f87f1571fa6d585377206f360f667

commit  d15d17d4231f87f1571fa6d585377206f360f667
Author: Nicolò Mazzucato <nicomazz97@gmail.com>
Date:   2020-06-03T10:01:46.000Z

    12786 fix CTF pointer overrun
    Reviewed by: Toomas Soome <tsoome@me.com>
    Reviewed by: Robert Mustacchi <rm@fingolfin.org>
    Approved by: Dan McDonald <danmcd@joyent.com>

Actions
Copy link

Also available in: Atom PDF