Date: Thu, 27 Aug 2015 23:46:45 +0000 (UTC) From: Mark Johnston <markj@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-9@freebsd.org Subject: svn commit: r287228 - stable/9/cddl/contrib/opensolaris/lib/libdtrace/common Message-ID: <201508272346.t7RNkj4A014004@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: markj Date: Thu Aug 27 23:46:45 2015 New Revision: 287228 URL: https://svnweb.freebsd.org/changeset/base/287228 Log: MFC r286169: Perform bounds checking when constructing a format string. PR: 201657 Modified: stable/9/cddl/contrib/opensolaris/lib/libdtrace/common/dt_printf.c Directory Properties: stable/9/cddl/contrib/opensolaris/ (props changed) stable/9/cddl/contrib/opensolaris/lib/libdtrace/common/ (props changed) Modified: stable/9/cddl/contrib/opensolaris/lib/libdtrace/common/dt_printf.c ============================================================================== --- stable/9/cddl/contrib/opensolaris/lib/libdtrace/common/dt_printf.c Thu Aug 27 23:46:42 2015 (r287227) +++ stable/9/cddl/contrib/opensolaris/lib/libdtrace/common/dt_printf.c Thu Aug 27 23:46:45 2015 (r287228) @@ -1348,6 +1348,7 @@ dt_printf_format(dtrace_hdl_t *dtp, FILE dtrace_aggdesc_t *agg; caddr_t lim = (caddr_t)buf + len, limit; char format[64] = "%"; + size_t ret; int i, aggrec, curagg = -1; uint64_t normal; @@ -1379,7 +1380,9 @@ dt_printf_format(dtrace_hdl_t *dtp, FILE int prec = pfd->pfd_prec; int rval; + const char *start; char *f = format + 1; /* skip initial '%' */ + size_t fmtsz = sizeof(format) - 1; const dtrace_recdesc_t *rec; dt_pfprint_f *func; caddr_t addr; @@ -1536,6 +1539,7 @@ dt_printf_format(dtrace_hdl_t *dtp, FILE break; } + start = f; if (pfd->pfd_flags & DT_PFCONV_ALT) *f++ = '#'; if (pfd->pfd_flags & DT_PFCONV_ZPAD) @@ -1548,6 +1552,7 @@ dt_printf_format(dtrace_hdl_t *dtp, FILE *f++ = '\''; if (pfd->pfd_flags & DT_PFCONV_SPACE) *f++ = ' '; + fmtsz -= f - start; /* * If we're printing a stack and DT_PFCONV_LEFT is set, we @@ -1558,13 +1563,20 @@ dt_printf_format(dtrace_hdl_t *dtp, FILE if (func == pfprint_stack && (pfd->pfd_flags & DT_PFCONV_LEFT)) width = 0; - if (width != 0) - f += snprintf(f, sizeof (format), "%d", ABS(width)); + if (width != 0) { + ret = snprintf(f, fmtsz, "%d", ABS(width)); + f += ret; + fmtsz = MAX(0, fmtsz - ret); + } - if (prec > 0) - f += snprintf(f, sizeof (format), ".%d", prec); + if (prec > 0) { + ret = snprintf(f, fmtsz, ".%d", prec); + f += ret; + fmtsz = MAX(0, fmtsz - ret); + } - (void) strcpy(f, pfd->pfd_fmt); + if (strlcpy(f, pfd->pfd_fmt, fmtsz) >= fmtsz) + return (dt_set_errno(dtp, EDT_COMPILER)); pfd->pfd_rec = rec; if (func(dtp, fp, format, pfd, addr, size, normal) < 0)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201508272346.t7RNkj4A014004>