On Wed, May 01, 2013 at 11:35:30PM -0400, Mike Frysinger wrote:
[...]
> + /* 4*(n-1) + 3 for quotes and NUL */
> + char vol_name[(UBI_MAX_VOLUME_NAME + 1) * 4];
> +
> + if (entering(tcp))
> + return 0;
> +
> + switch (code) {
> + case UBI_IOCMKVOL:
> + if (!verbose(tcp) || umove(tcp, arg, &mkvol) < 0)
> + return 0;
> +
> + tprintf(", {vol_id=%" PRIi32 ", alignment=%" PRIi32
> + ", bytes=%" PRIi64 ", vol_type=", mkvol.vol_id,
> + mkvol.alignment, (int64_t)mkvol.bytes);
> + printxval(ubi_volume_types, mkvol.vol_type, "UBI_???_VOLUME");
> + string_quote(mkvol.name, vol_name, -1, mkvol.name_len);
Because mkvol.name_len is untrusted input, it can exceed
UBI_MAX_VOLUME_NAME with good chance to overflow vol_name[].
I suggest adding some kind of
CLAMP(mkvol.name_len, 0, UBI_MAX_VOLUME_NAME).
[...]
> + case UBI_IOCRNVOL: {
> + __s32 c;
> +
> + if (!verbose(tcp) || umove(tcp, arg, &rnvol) < 0)
> + return 0;
> +
> + tprintf(", {count=%" PRIi32 ", ents=[", rnvol.count);
> + for (c = 0; c < CLAMP(rnvol.count, 0, UBI_MAX_RNVOL); ++c) {
> + if (c)
> + tprints(", ");
> + string_quote(rnvol.ents[c].name, vol_name, -1,
> + rnvol.ents[c].name_len);
The same issue with this string_quote call.
--
ldv
pgpuqy19N3sHH.pgp
Description: PGP signature
------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite It's a free troubleshooting tool designed for production Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap2
_______________________________________________ Strace-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/strace-devel
