* [9fans] snprintf buffer overrun
@ 2016-11-27 14:58 Porlock
2016-11-27 20:20 ` cinap_lenrek
2016-11-27 20:31 ` cinap_lenrek
0 siblings, 2 replies; 3+ messages in thread
From: Porlock @ 2016-11-27 14:58 UTC (permalink / raw)
To: 9fans
[-- Attachment #1: Type: text/plain, Size: 541 bytes --]
Plan 9's implementation of the standard C functions snprintf and
vsnprintf have a buffer overrun bug.
If the buffer length equals the output length (without the terminating
null), then one too many characters is written to the buffer.
For example,
snprintf(buf, 4, "ABCD");
will write 5 characters to buf.
Attached is a short program to illustrate this, which gives the
following output :-
% 8c printftest.c && 8l printftest.8
% ./8.out
A B C D \0 * * * * * * * * * * *
[-- Attachment #2: printftest.c --]
[-- Type: text/x-csrc, Size: 341 bytes --]
#include <u.h>
#include <libc.h>
#include <stdio.h>
void main()
{
char buf[16];
int i;
memset(buf, '*', sizeof(buf));
snprintf(buf, 4, "ABCD");
for (i = 0; i < sizeof(buf); ++i) {
if (buf[i])
print(" %c ", buf[i]);
else
print(" \\0");
}
print("\n");
}
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: [9fans] snprintf buffer overrun
2016-11-27 14:58 [9fans] snprintf buffer overrun Porlock
@ 2016-11-27 20:20 ` cinap_lenrek
2016-11-27 20:31 ` cinap_lenrek
1 sibling, 0 replies; 3+ messages in thread
From: cinap_lenrek @ 2016-11-27 20:20 UTC (permalink / raw)
To: 9fans
theres a bug is in sclose() where it doesnt check if wp is beyond
the buffer. also wp was not updated after realloc().
--- a/sys/src/libstdio/sclose.c Sat Nov 19 16:47:21 2016 +0100
+++ b/sys/src/libstdio/sclose.c Sun Nov 27 21:07:48 2016 +0100
@@ -5,27 +5,35 @@
char *sclose(FILE *f){
switch(f->state){
default: /* ERR CLOSED */
+ Error:
if(f->buf && f->flags&BALLOC)
free(f->buf);
- f->flags=0;
- return NULL;
+ f->buf=0;
+ break;
case OPEN:
f->buf=malloc(1);
f->buf[0]='\0';
break;
case RD:
case END:
- f->flags=0;
break;
case RDWR:
case WR:
+ f->rp=f->buf+f->bufl;
if(f->wp==f->rp){
- if(f->flags&BALLOC)
- f->buf=realloc(f->buf, f->bufl+1);
- if(f->buf==NULL) return NULL;
+ if(f->flags&BALLOC){
+ char *t = realloc(f->buf, f->bufl+1);
+ if(t==NULL)
+ goto Error;
+ f->buf=t;
+ f->wp=t+f->bufl;
+ } else {
+ if(f->wp > f->buf)
+ *(f->wp-1) = '\0';
+ goto Error;
+ }
}
*f->wp='\0';
- f->flags=0;
break;
}
f->state=CLOSED;
--
cinap
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: [9fans] snprintf buffer overrun
2016-11-27 14:58 [9fans] snprintf buffer overrun Porlock
2016-11-27 20:20 ` cinap_lenrek
@ 2016-11-27 20:31 ` cinap_lenrek
1 sibling, 0 replies; 3+ messages in thread
From: cinap_lenrek @ 2016-11-27 20:31 UTC (permalink / raw)
To: 9fans
commited fix in 9front, thanks for reporting!
--
cinap
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-11-27 20:31 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-11-27 14:58 [9fans] snprintf buffer overrun Porlock
2016-11-27 20:20 ` cinap_lenrek
2016-11-27 20:31 ` cinap_lenrek
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).