When compiling with -D_FORTIFY_SOURCE=2 following buffer-overflow gets detected:
Starting program:
/root/ltp/ltp-full-20080916/testcases/kernel/syscalls/symlink/symlink01
symlink01 1 PASS : Creation of symbolic link file to no object file is
ok
symlink01 2 PASS : Creation of symbolic link file to no object file is
ok
symlink01 3 PASS : Creation of symbolic link file and object file via
symbolic link is ok
symlink01 4 PASS : Creating an existing symbolic link file error is
caught
*** buffer overflow detected ***:
/root/ltp/ltp-full-20080916/testcases/kernel/syscalls/symlink/symlink01
terminated
======= Backtrace: =========
/lib64/libc.so.6(__chk_fail+0x2f)[0x2b5ae730f31f]
/lib64/libc.so.6[0x2b5ae730e3c3]
/root/ltp/ltp-full-20080916/testcases/kernel/syscalls/symlink/symlink01[0x4048fe]
/root/ltp/ltp-full-20080916/testcases/kernel/syscalls/symlink/symlink01[0x403e7b]
/root/ltp/ltp-full-20080916/testcases/kernel/syscalls/symlink/symlink01[0x4047b7]
/lib64/libc.so.6(__libc_start_main+0xf4)[0x2b5ae725a184]
/root/ltp/ltp-full-20080916/testcases/kernel/syscalls/symlink/symlink01[0x401c39]
(gdb) bt
#0 0x00002b5ae726cbb5 in raise () from /lib64/libc.so.6
#1 0x00002b5ae726dfb0 in abort () from /lib64/libc.so.6
#2 0x00002b5ae72a332b in __libc_message () from /lib64/libc.so.6
#3 0x00002b5ae730f31f in __chk_fail () from /lib64/libc.so.6
#4 0x00002b5ae730e3c3 in __strcat_chk () from /lib64/libc.so.6
#5 0x00000000004048fe in creat_path_max (path1=0x409d88 "object",
path2=<value optimized out>, path3=<value optimized out>)
at symlink01.c:844
#6 0x0000000000403e7b in do_syscalltests (tcs=0x50cec0) at symlink01.c:958
#7 0x00000000004047b7 in main (argc=<value optimized out>, argv=<value
optimized out>) at symlink01.c:569
(gdb) up
#1 0x00002b5ae726dfb0 in abort () from /lib64/libc.so.6
(gdb)
#2 0x00002b5ae72a332b in __libc_message () from /lib64/libc.so.6
(gdb)
#3 0x00002b5ae730f31f in __chk_fail () from /lib64/libc.so.6
(gdb)
#4 0x00002b5ae730e3c3 in __strcat_chk () from /lib64/libc.so.6
(gdb)
#5 0x00000000004048fe in creat_path_max (path1=0x409d88 "object",
path2=<value optimized out>, path3=<value optimized out>)
at symlink01.c:844
844 strcat(full_path, "Z");
Variable full_path exceeds PATH_MAX limit in creat_path_max(), to avoid a
buffer overflow
the size of full_path needs to be incremented by one.
Signed-off-by: Daniel Gollub <[EMAIL PROTECTED]>
---
testcases/kernel/syscalls/symlink/symlink01.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: ltp-full-20080916/testcases/kernel/syscalls/symlink/symlink01.c
===================================================================
--- ltp-full-20080916.orig/testcases/kernel/syscalls/symlink/symlink01.c
+++ ltp-full-20080916/testcases/kernel/syscalls/symlink/symlink01.c
@@ -488,7 +488,7 @@ time_t a_time_value = 100;
char *TCID;
char *Selectedtests = NULL; /* Name (tcid) of selected test cases */
char test_msg[BUFMAX];
-char full_path[PATH_MAX+1];
+char full_path[PATH_MAX+1+1]; /* Add one for '\0' and another to exceed the
PATH_MAX limit, see creat_path_max() */
extern int Tst_count;
extern char *TESTDIR;
/*extern char *strrchr();*/
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Ltp-list mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/ltp-list
