From: Dave Jones <davej@redhat.com>
To: Michael Ellerman <mpe@ellerman.id.au>
Cc: trinity@vger.kernel.org
Subject: Re: [PATCH] Fix buffer overflow in output() when pid slot is not found
Date: Fri, 23 May 2014 20:51:02 -0400 [thread overview]
Message-ID: <20140524005102.GB7139@redhat.com> (raw)
In-Reply-To: <1400836143-22355-1-git-send-email-mpe@ellerman.id.au>
On Fri, May 23, 2014 at 07:09:03PM +1000, Michael Ellerman wrote:
> In output() we sprintf() the result of find_pid_slot(). We print the pid
> slot to the buffer with %u and have space for two digits of pid slot.
> find_pid_slot() potentially returns PIDSLOT_NOT_FOUND (-1), which when
> printed with %u is 4294967295 - ten digits.
>
> Fix it two ways, use snprintf() - truncated output is better than a
> buffer overflow. And allocate more space in the buffer, 32 bytes is a
> nice round size, and gives us space for everything.
heh, this has been nagging me from time to time, but it wasn't a problem
until recently. I'm curious why you're hitting that PIDSLOT_NOT_FOUND
case though, as it's a "should never happen" case.
Anyway, it's the right thing to do, so I pushed this out.
> @@ -311,7 +311,7 @@ void output(unsigned char level, const char *fmt, ...)
> unsigned int slot;
>
> slot = find_pid_slot(pid);
> - sprintf(child_prefix, "[child%u:%u]", slot, pid);
> + snprintf(child_prefix, sizeof(child_prefix), "[child%u:%u]", slot, pid);
> prefix = child_prefix;
might be worth it to add something later to print PIDSLOT_NOT_FOUND entries as '?'
rather than 4294967295.
thanks,
Dave
next prev parent reply other threads:[~2014-05-24 0:51 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-23 9:09 [PATCH] Fix buffer overflow in output() when pid slot is not found Michael Ellerman
2014-05-24 0:51 ` Dave Jones [this message]
2014-05-26 5:11 ` Michael Ellerman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140524005102.GB7139@redhat.com \
--to=davej@redhat.com \
--cc=mpe@ellerman.id.au \
--cc=trinity@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.