Follow-up Comment #11, bug #66209 (group screen):

The root cause for the issue is in the source code of the upstream version,
see lines 458-468 in attacher.c (SendCmdMessage):


p = m.m.command.cmd;
n = 0;
for (; *av && n < MAXARGS - 1; ++av, ++n) {
        size_t len;
        len = strlen(*av) + 1;
        if (p + len >= m.m.command.cmd + ARRAY_SIZE(m.m.command.cmd) - 1)
                break;
        strncpy(p, *av, MAXPATHLEN);
        p += len;
}
*p = 0;



In the strcpy call, the size of the buffer is not adjusted when the pointer is
advanced. This is normally fine since there is a sufficient bounds check
before the execution of strcpy. However, the code above will not work when
_FORTIFY_SOURCE is defined, which inserts an automatically generated bounds
check for the strncpy. The autogenerated check will compute the remaining size
of the buffer as the distance from p to the end of the buffer, and check it
against MAXPATHLEN, which will fail in the second loop iteration. So this is
not solely an arch issue, I can confirm the same when I build the program
according to the instructions on Ubuntu 24.04, I assume both distributions
somehow enable _FORTIFY_SOURCE by default.

This could be solved by using strncpy(p, *av, MAXPATHLEN-len) instead.



    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?66209>

_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/

Attachment: signature.asc
Description: PGP signature

Reply via email to