Martin Pitt [2014-12-15 12:50 +0100]: > #7 0x5659c185 in time_get_dst (date=1418644009, tzfile=0x5659e9ee > "/etc/localtime", switch_cur=0xffffd81c, zone_cur=0xffffd810, > dst_cur=0xffffd809, switch_next=0xffffd824, delta_next=0xffffd820, > zone_next=0xffffd814, dst_next=0xffffd80a) > at src/shared/time-dst.c:104 > at src/shared/time-dst.c:104 > type_idxs = 0x565b98d8 "" > num_types = 1 > types = 0x565b98d8 > zone_names = 0x565b98e0 "UTC" > st = {st_dev = 40, __pad1 = 348, __st_ino = 351284, st_mode = 33188, > st_nlink = 1, st_uid = 0, st_gid = 0, st_rdev = 0, > __pad2 = 4, st_size = 118, st_blksize = 4096, st_blocks = 8, > st_atim = {tv_sec = 1418641254, tv_nsec = 924653672}, > st_mtim = {tv_sec = 1418641254, tv_nsec = 920653672}, st_ctim = > {tv_sec = 1418641254, tv_nsec = 920653672}, > st_ino = 351284} > num_isstd = 1 > num_isgmt = 1 > tzhead = {tzh_magic = "TZif", tzh_version = "2", tzh_reserved = > '\000' <repeats 14 times>, > tzh_ttisgmtcnt = "\000\000\000\001", tzh_ttisstdcnt = > "\000\000\000\001", tzh_leapcnt = "\000\000\000", > tzh_timecnt = "\000\000\000", tzh_typecnt = "\000\000\000\001", > tzh_charcnt = "\000\000\000\004"} > chars = 4 > i = 1 > total_size = 12 > types_idx = 0 > trans_width = 4 > tzspec_len = 0 > num_leaps = 0 > lo = 4294956851 > hi = 1 > num_transitions = 0 > transitions = 0x565b98d8 > f = 0x565b9970
To clarify: 186 transitions = malloc0(total_size + tzspec_len); transitions gets 12 bytes allocated (see above frame for values of variables). 192 types = (struct ttinfo *)((char *)transitions + types_idx); As types_idx == 0, types == transitions, thus 12 bytes long. 193 zone_names = (char *)types + num_types * sizeof(struct ttinfo); num_types == 1, thus zone_names == types + 8, i. e. zone_names is 4 bytes. chars is 4 bytes, thus 247 zone_names[chars] = '\0'; writes at zone_names[4] aka transitions[12] which is one byte past the allocated buffer. I think the most robust solution would be to just allocate an extra byte so that we can always actually fit that null byte. Does that sound ok? Thanks, Martin -- Martin Pitt | http://www.piware.de Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)
From 597f3557b73ae0b4b449dc54b6b0e0a720864051 Mon Sep 17 00:00:00 2001 From: Martin Pitt <martin.p...@ubuntu.com> Date: Mon, 15 Dec 2014 13:06:48 +0100 Subject: [PATCH] shared: time-dst: Avoid buffer overflow Commit 681f9718 introduced an additional null terminator for the zone names. Increase the allocation of "transitions" to actually make room for this. --- src/shared/time-dst.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/shared/time-dst.c b/src/shared/time-dst.c index 926d22b..1ce6f72 100644 --- a/src/shared/time-dst.c +++ b/src/shared/time-dst.c @@ -183,7 +183,8 @@ read_again: return -EINVAL; } - transitions = malloc0(total_size + tzspec_len); + /* leave space for additional zone_names zero terminator */ + transitions = malloc0(total_size + tzspec_len + 1); if (transitions == NULL) return -EINVAL; -- 2.1.3
signature.asc
Description: Digital signature
_______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel