svn commit: r286169 - head/cddl/contrib/opensolaris/lib/libdtrace/common

Sat, 01 Aug 2015 17:19:14 -0700 

Author: markj
Date: Sun Aug  2 00:18:48 2015
New Revision: 286169
URL: https://svnweb.freebsd.org/changeset/base/286169

Log:
  Perform bounds checking when constructing a format string.
  
  This was detected by the FORTIFY_SOURCE build.
  
  PR:           201657
  Reported by:  pfg
  MFC after:    2 weeks

Modified:
  head/cddl/contrib/opensolaris/lib/libdtrace/common/dt_printf.c

Modified: head/cddl/contrib/opensolaris/lib/libdtrace/common/dt_printf.c
==============================================================================
--- head/cddl/contrib/opensolaris/lib/libdtrace/common/dt_printf.c      Sun Aug 
 2 00:15:52 2015        (r286168)
+++ head/cddl/contrib/opensolaris/lib/libdtrace/common/dt_printf.c      Sun Aug 
 2 00:18:48 2015        (r286169)
@@ -1348,6 +1348,7 @@ dt_printf_format(dtrace_hdl_t *dtp, FILE
        dtrace_aggdesc_t *agg;
        caddr_t lim = (caddr_t)buf + len, limit;
        char format[64] = "%";
+       size_t ret;
        int i, aggrec, curagg = -1;
        uint64_t normal;
 
@@ -1379,7 +1380,9 @@ dt_printf_format(dtrace_hdl_t *dtp, FILE
                int prec = pfd->pfd_prec;
                int rval;
 
+               const char *start;
                char *f = format + 1; /* skip initial '%' */
+               size_t fmtsz = sizeof(format) - 1;
                const dtrace_recdesc_t *rec;
                dt_pfprint_f *func;
                caddr_t addr;
@@ -1536,6 +1539,7 @@ dt_printf_format(dtrace_hdl_t *dtp, FILE
                        break;
                }
 
+               start = f;
                if (pfd->pfd_flags & DT_PFCONV_ALT)
                        *f++ = '#';
                if (pfd->pfd_flags & DT_PFCONV_ZPAD)
@@ -1548,6 +1552,7 @@ dt_printf_format(dtrace_hdl_t *dtp, FILE
                        *f++ = '\'';
                if (pfd->pfd_flags & DT_PFCONV_SPACE)
                        *f++ = ' ';
+               fmtsz -= f - start;
 
                /*
                 * If we're printing a stack and DT_PFCONV_LEFT is set, we
@@ -1558,13 +1563,20 @@ dt_printf_format(dtrace_hdl_t *dtp, FILE
                if (func == pfprint_stack && (pfd->pfd_flags & DT_PFCONV_LEFT))
                        width = 0;
 
-               if (width != 0)
-                       f += snprintf(f, sizeof (format), "%d", ABS(width));
+               if (width != 0) {
+                       ret = snprintf(f, fmtsz, "%d", ABS(width));
+                       f += ret;
+                       fmtsz = MAX(0, fmtsz - ret);
+               }
 
-               if (prec > 0)
-                       f += snprintf(f, sizeof (format), ".%d", prec);
+               if (prec > 0) {
+                       ret = snprintf(f, fmtsz, ".%d", prec);
+                       f += ret;
+                       fmtsz = MAX(0, fmtsz - ret);
+               }
 
-               (void) strcpy(f, pfd->pfd_fmt);
+               if (strlcpy(f, pfd->pfd_fmt, fmtsz) >= fmtsz)
+                       return (dt_set_errno(dtp, EDT_COMPILER));
                pfd->pfd_rec = rec;
 
                if (func(dtp, fp, format, pfd, addr, size, normal) < 0)
_______________________________________________
svn-src-head@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"

Reply via email to