On Mon, 17 Jun 2019 22:16:46 -0400
Steven Rostedt <rost...@goodmis.org> wrote:
> On Sat, 1 Jun 2019 00:19:17 +0900
> Masami Hiramatsu <mhira...@kernel.org> wrote:
>
> > +static bool trace_uprobe_match_command_head(struct trace_uprobe *tu,
> > + int argc, const char **argv)
> > +{
> > + char buf[MAX_ARGSTR_LEN + 1];
> > + int len;
> > +
> > + if (!argc)
> > + return true;
> > +
> > + len = strlen(tu->filename);
> > + if (argv[0][len] != ':' || strncmp(tu->filename, argv[0], len))
>
> Hmm, isn't it possible that 'len' can be greater than whatever argv[0] is?
>
> The argv[0][len] looks very dangerous to me.
Ah, right! it can lead an unexpected memory access!
>
> Perhaps that should be changed to:
>
> if (!(!strncmp(tu->filename, argv[0], len) && argv[0][len] == ':'))
>
> That way, the test of argv[0][len] will only happen if argv[0] is of length
> len.
OK, I'll take it! Thank you!
>
> -- Steve
>
>
> > + return false;
> > +
> > + if (tu->ref_ctr_offset == 0)
> > + snprintf(buf, sizeof(buf), "0x%0*lx",
> > + (int)(sizeof(void *) * 2), tu->offset);
> > + else
> > + snprintf(buf, sizeof(buf), "0x%0*lx(0x%lx)",
> > + (int)(sizeof(void *) * 2), tu->offset,
> > + tu->ref_ctr_offset);
> > + if (strcmp(buf, &argv[0][len + 1]))
> > + return false;
> > +
> > + argc--; argv++;
> > +
> > + return trace_probe_match_command_args(&tu->tp, argc, argv);
> > +}
> > +
--
Masami Hiramatsu <mhira...@kernel.org>
