Follow-up Comment #11, bug #66209 (group screen): The root cause for the issue is in the source code of the upstream version, see lines 458-468 in attacher.c (SendCmdMessage):
p = m.m.command.cmd;
n = 0;
for (; *av && n < MAXARGS - 1; ++av, ++n) {
size_t len;
len = strlen(*av) + 1;
if (p + len >= m.m.command.cmd + ARRAY_SIZE(m.m.command.cmd) - 1)
break;
strncpy(p, *av, MAXPATHLEN);
p += len;
}
*p = 0;
In the strcpy call, the size of the buffer is not adjusted when the pointer is
advanced. This is normally fine since there is a sufficient bounds check
before the execution of strcpy. However, the code above will not work when
_FORTIFY_SOURCE is defined, which inserts an automatically generated bounds
check for the strncpy. The autogenerated check will compute the remaining size
of the buffer as the distance from p to the end of the buffer, and check it
against MAXPATHLEN, which will fail in the second loop iteration. So this is
not solely an arch issue, I can confirm the same when I build the program
according to the instructions on Ubuntu 24.04, I assume both distributions
somehow enable _FORTIFY_SOURCE by default.
This could be solved by using strncpy(p, *av, MAXPATHLEN-len) instead.
_______________________________________________________
Reply to this item at:
<https://savannah.gnu.org/bugs/?66209>
_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/
signature.asc
Description: PGP signature
