From: Veronika Kabatova <vkabatov@redhat.com>
To: ltp@lists.linux.it
Subject: [LTP] [PATCH] Fix buffer overflow in print_result() function
Date: Tue, 7 Nov 2017 10:35:32 -0500 (EST) [thread overview]
Message-ID: <1746889375.15009678.1510068932445.JavaMail.zimbra@redhat.com> (raw)
In-Reply-To: <20171106150058.GA1662@rei>
----- Original Message -----
> From: "Cyril Hrubis" <chrubis@suse.cz>
> To: vkabatov@redhat.com
> Cc: ltp@lists.linux.it
> Sent: Monday, November 6, 2017 4:00:58 PM
> Subject: Re: [LTP] [PATCH] Fix buffer overflow in print_result() function
>
> Hi!
> > lib/tst_test.c | 18 ++++++++++++++++--
> > 1 file changed, 16 insertions(+), 2 deletions(-)
> >
> > diff --git a/lib/tst_test.c b/lib/tst_test.c
> > index c8baf2a43..09691031e 100644
> > --- a/lib/tst_test.c
> > +++ b/lib/tst_test.c
> > @@ -180,7 +180,7 @@ static void print_result(const char *file, const int
> > lineno, int ttype,
> > {
> > char buf[1024];
> > char *str = buf;
> > - int ret, size = sizeof(buf);
> > + int ret, overflowed = 0, size = sizeof(buf);
> > const char *str_errno = NULL;
> > const char *res;
> >
> > @@ -227,17 +227,31 @@ static void print_result(const char *file, const int
> > lineno, int ttype,
> > size -= ret;
> >
> > ret = vsnprintf(str, size, fmt, va);
> > + if (ret >= size) {
> > + overflowed = 1;
> > + goto finish;
> > + }
> > str += ret;
> > size -= ret;
> >
> > if (str_errno) {
> > ret = snprintf(str, size, ": %s", str_errno);
> > + if (ret >= size) {
> > + overflowed = 1;
> > + goto finish;
> > + }
> > str += ret;
> > size -= ret;
> > }
>
> We can simplify this a bit I guess.
>
> We may as well pass size-2 to the snprintf() functions here, then add
> MIN(ret, size-2) to the str. Then we don't have to use the overflowed
> variable since the str would point to the end of the composed string
> and there would be always at least two bytes in the buffer so that the
> last one can be just sprintf() or strcpy().
>
> > - snprintf(str, size, "\n");
> > +finish:
> > + /* Keep space for newline and \0 if the buffer was filled */
> > + if (overflowed) {
> > + str += size - 2;
> > + size = 2;
> > + }
> >
> > + snprintf(str, size, "\n");
> > fputs(buf, stderr);
>
> What about printing TWARN message here in a case that the message was
> shortened, something as tst_res_(file, lineno, TWARN, "Previous message was
> too long!"),
> we would have to keep the overflow flag for that thought...
>
Hi, I like this idea. I'll rewrite it differently so we don't need to keep
the flag and also include the MIN() macro you mentioned above.
> > }
> >
> > --
> > 2.13.6
> >
> >
> > --
> > Mailing list info: https://lists.linux.it/listinfo/ltp
>
> --
> Cyril Hrubis
> chrubis@suse.cz
>
Veronika Kabatova
prev parent reply other threads:[~2017-11-07 15:35 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-03 16:13 [LTP] [PATCH] Fix buffer overflow in print_result() function vkabatov
2017-11-06 15:00 ` Cyril Hrubis
2017-11-07 15:35 ` Veronika Kabatova [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1746889375.15009678.1510068932445.JavaMail.zimbra@redhat.com \
--to=vkabatov@redhat.com \
--cc=ltp@lists.linux.it \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox