| Message ID | 20240605134054.2626953-24-jmarchan@redhat.com (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | 9677c423e54b6666947ef5c3b29586c2731ddb59 |
| Headers | show |
| Series | trace-cmd: fix misc issues found by static analysis | expand |
On Wed, 5 Jun 2024 15:40:38 +0200 "Jerome Marchand" <jmarchan@redhat.com> wrote: > > Fixes an OVERRUN error (CWE-119) > > Signed-off-by: Jerome Marchand <jmarchan@redhat.com> > --- > lib/trace-cmd/trace-input.c | 6 ++---- > 1 file changed, 2 insertions(+), 4 deletions(-) > > diff --git a/lib/trace-cmd/trace-input.c b/lib/trace-cmd/trace-input.c > index 3284dbd4..c485acea 100644 > --- a/lib/trace-cmd/trace-input.c > +++ b/lib/trace-cmd/trace-input.c > @@ -447,15 +447,13 @@ static char *read_string(struct tracecmd_input *handle) > str = realloc(str, size); Hmm, the above is a memory leak if it fails. That should be: tmp = realloc(str, size); if (!tmp) { free(str); return NULL; } str = tmp; Not to do with your patch, but I think this code is generally wrong. :-/ Let's say BUFSIZ = 1024, and a string is 1124 in size, including the '\0'. That is str[1123] = '\0'. The loop would end with: size = 1024; i = 99; size += i + 1; // size = 1124; > if (!str) > return NULL; > - memcpy(str + (size - i), buf, i); > - str[size] = 0; > + memcpy(str + (size - i), buf, i + 1); size - i = 1025 I think this is wrong, as we should be copying to str + 1024, and not str + 1025. This should be fixed, but has nothing to do with this particular patch. Thanks, -- Steve > } else { > size = i + 1; > str = malloc(size); > if (!str) > return NULL; > - memcpy(str, buf, i); > - str[i] = 0; > + memcpy(str, buf, i + 1); > } > > return str;
diff --git a/lib/trace-cmd/trace-input.c b/lib/trace-cmd/trace-input.c index 3284dbd4..c485acea 100644 --- a/lib/trace-cmd/trace-input.c +++ b/lib/trace-cmd/trace-input.c @@ -447,15 +447,13 @@ static char *read_string(struct tracecmd_input *handle) str = realloc(str, size); if (!str) return NULL; - memcpy(str + (size - i), buf, i); - str[size] = 0; + memcpy(str + (size - i), buf, i + 1); } else { size = i + 1; str = malloc(size); if (!str) return NULL; - memcpy(str, buf, i); - str[i] = 0; + memcpy(str, buf, i + 1); } return str;
In read_string() we try to write a null character at str(size), which is out of range: if (str) { size += i + 1; str = realloc(str, size); if (!str) return NULL; memcpy(str + (size - i), buf, i); str[size] = 0; } The character that should be zeroed is supposed to be at the size - 1 index, which is the size of str prior the reallocation plus i. We also know that buf[i] == 0 so we can simply memcpy that too instead of zeroing it by hand. That simplifies the code a little. Fixes an OVERRUN error (CWE-119) Signed-off-by: Jerome Marchand <jmarchan@redhat.com> --- lib/trace-cmd/trace-input.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-)