When precision is given for a string, we must not run unbounded strlen() as it will read beyong given length. It might even cause creash if the given pointer is near end of heap or mapping.
Fixes numerous valgrind errors such as: ==19215== Invalid read of size 1 ==19215== at 0x52D36C6: builtin_vsnprintf (printf_hook_builtin.c:853) ==19215== by 0x52D40A8: builtin_snprintf (printf_hook_builtin.c:1084) ==19215== by 0x52CE464: dntoa (identification.c:337) ==19215== by 0x52CE464: identification_printf_hook (identification.c:837) ==19215== by 0x52D3DAA: builtin_vsnprintf (printf_hook_builtin.c:1010) ==19215== by 0x57040EB: vlog (bus.c:388) ==19215== by 0x570427D: log_ (bus.c:430) ==19215== by 0xA8445D3: load_x509_ca (stroke_cred.c:416) ==19215== by 0xA8445D3: load_certdir (stroke_cred.c:537) ==19215== by 0xA846A95: load_certs (stroke_cred.c:1353) ==19215== by 0xA846A95: stroke_cred_create (stroke_cred.c:1475) ==19215== by 0xA84073E: stroke_socket_create (stroke_socket.c:782) ==19215== by 0xA83F27C: register_stroke (stroke_plugin.c:53) ==19215== by 0x52C3125: load_feature (plugin_loader.c:716) ==19215== by 0x52C3125: load_provided (plugin_loader.c:778) ==19215== by 0x52C3A20: load_features (plugin_loader.c:799) ==19215== by 0x52C3A20: load_plugins (plugin_loader.c:1159) ==19215== Address 0x50cdb42 is 0 bytes after a block of size 2 alloc'd ==19215== at 0x4C919FE: malloc (vg_replace_malloc.c:296) ==19215== by 0x52CD198: chunk_printable (chunk.c:759) ==19215== by 0x52CE442: dntoa (identification.c:334) ==19215== by 0x52CE442: identification_printf_hook (identification.c:837) ==19215== by 0x52D3DAA: builtin_vsnprintf (printf_hook_builtin.c:1010) ==19215== by 0x57040EB: vlog (bus.c:388) ==19215== by 0x570427D: log_ (bus.c:430) ==19215== by 0xA8445D3: load_x509_ca (stroke_cred.c:416) ==19215== by 0xA8445D3: load_certdir (stroke_cred.c:537) ==19215== by 0xA846A95: load_certs (stroke_cred.c:1353) ==19215== by 0xA846A95: stroke_cred_create (stroke_cred.c:1475) ==19215== by 0xA84073E: stroke_socket_create (stroke_socket.c:782) ==19215== by 0xA83F27C: register_stroke (stroke_plugin.c:53) ==19215== by 0x52C3125: load_feature (plugin_loader.c:716) ==19215== by 0x52C3125: load_provided (plugin_loader.c:778) ==19215== by 0x52C3A20: load_features (plugin_loader.c:799) ==19215== by 0x52C3A20: load_plugins (plugin_loader.c:1159) Signed-off-by: Timo Teräs <[email protected]> --- src/libstrongswan/utils/printf_hook/printf_hook_builtin.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/libstrongswan/utils/printf_hook/printf_hook_builtin.c b/src/libstrongswan/utils/printf_hook/printf_hook_builtin.c index 466c673..bf1727f 100644 --- a/src/libstrongswan/utils/printf_hook/printf_hook_builtin.c +++ b/src/libstrongswan/utils/printf_hook/printf_hook_builtin.c @@ -15,6 +15,7 @@ /** * Copyright (C) 2002-2006 H. Peter Anvin + * Copyright (C) 2015 Timo Teräs * * Permission is hereby granted, free of charge, to any person obtaining a copy * of this software and associated documentation files (the "Software"), to deal @@ -843,14 +844,14 @@ int builtin_vsnprintf(char *buffer, size_t n, const char *format, va_list ap) /* String */ sarg = va_arg(ap, const char *); sarg = sarg ? sarg : "(null)"; - slen = strlen(sarg); + slen = prec ? strnlen(sarg, prec) : strlen(sarg); goto is_string; } case 'm': { /* glibc error string */ sarg = strerror(errno); - slen = strlen(sarg); + slen = prec ? strnlen(sarg, prec) : strlen(sarg); goto is_string; } is_string: -- 2.4.6 _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
