Hello,
An OOB write issue was reported by Mr Ling Liu, CC'd here. It occurs while
processing the 'sendkey' command, if the command argument was longer than
the 'keyname_buf[16]' buffer.
===
From b0363f4c0e91671064dd7ffece8a6923c8dcaf20 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <p...@fedoraproject.org>
Date: Thu, 17 Dec 2015 17:47:15 +0530
Subject: [PATCH] hmp: avoid redundant null termination of buffer
When processing 'sendkey' command, hmp_sendkey routine null
terminates the 'keyname_buf' array. This results in an OOB write
issue, if 'keyname_len' was to fall outside of 'keyname_buf' array.
Removed the redundant null termination, as pstrcpy routine already
null terminates the target buffer.
Reported-by: Ling Liu <liuling...@360.cn>
Signed-off-by: Prasad J Pandit <p...@fedoraproject.org>
---
hmp.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/hmp.c b/hmp.c
index 2140605..e530c9c 100644
--- a/hmp.c
+++ b/hmp.c
@@ -1746,9 +1746,7 @@ void hmp_sendkey(Monitor *mon, const QDict *qdict)
/* Be compatible with old interface, convert user inputted "<" */
if (!strncmp(keyname_buf, "<", 1) && keyname_len == 1) {
pstrcpy(keyname_buf, sizeof(keyname_buf), "less");
- keyname_len = 4;
}
- keyname_buf[keyname_len] = 0;
keylist = g_malloc0(sizeof(*keylist));
keylist->value = g_malloc0(sizeof(*keylist->value));
--
2.4.3
===
Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
