Hi all, I did run into a buffer overwriter which caused a crash when starting tmux on linux.
I downloaded tmux 1.9a and installed it from the sources.
tmux crashes (aborts) on my linux machine right after start in the libc
with the following callstack:
Program terminated with signal 6, Aborted.
#0 0x00007f51f5d09b55 in raise () from /lib64/libc.so.6
(gdb) where
#0 0x00007f51f5d09b55 in raise () from /lib64/libc.so.6
#1 0x00007f51f5d0b131 in abort () from /lib64/libc.so.6
#2 0x00007f51f5d4d640 in malloc_printerr () from /lib64/libc.so.6
#3 0x00000000004066b3 in client_main ()
#4 0x0000000000434342 in main ()
The crash is in a call to free(2).
The crash is caused by a buffer overwriter in cmd_pack_argv() in cmd.c. The
error is that
the function unconditionally writes '\0' to the first byte of the output
buffer without checking
output buffer size or argc.
If argc is 0, output buffer size is 0, and we overwrite one byte beyond the
range allocated at
client_main() (client.c line 291).
This does not always lead to an error; depends on whether there are any
important data
beyond the allocated 4 bytes.
I believe the small patch below fixes the bug; at least it makes the bug
disappear on my
machine:
--- cmd.c_ 2014-09-16 14:07:01.000000000 +0200
+++ cmd.c 2014-09-16 14:07:49.000000000 +0200
@@ -138,6 +138,10 @@
size_t arglen;
int i;
+ if (argc == 0) {
+ return (0);
+ }
+
*buf = '\0';
for (i = 0; i < argc; i++) {
if (strlcpy(buf, argv[i], len) >= len)
Kind Regards, Thomas Stüfe
fix.patch
Description: Binary data
------------------------------------------------------------------------------ Want excitement? Manually upgrade your production database. When you want reliability, choose Perforce. Perforce version control. Predictably reliable. http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
_______________________________________________ tmux-users mailing list tmux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tmux-users
