From: Rich Felker <dalias@libc.org>
To: musl@lists.openwall.com
Subject: Re: [PATCH] Fix off-by-one buffer overflow in getdelim
Date: Sat, 24 Oct 2015 20:32:02 -0400 [thread overview]
Message-ID: <20151025003202.GA8645@brightrain.aerifal.cx> (raw)
In-Reply-To: <20151024233515.GZ8645@brightrain.aerifal.cx>
On Sat, Oct 24, 2015 at 07:35:15PM -0400, Rich Felker wrote:
> On Sun, Oct 25, 2015 at 12:25:52AM +0200, Felix Janda wrote:
> > Rich Felker wrote:
> > > On Sat, Oct 24, 2015 at 10:43:39PM +0200, Felix Janda wrote:
> > > > when deciding whether to resize the buffer, the terminating null byte
> > > > was not taken into account
> > > > ---
> > > > src/stdio/getdelim.c | 2 +-
> > > > 1 file changed, 1 insertion(+), 1 deletion(-)
> > > >
> > > > diff --git a/src/stdio/getdelim.c b/src/stdio/getdelim.c
> > > > index a88c393..3077490 100644
> > > > --- a/src/stdio/getdelim.c
> > > > +++ b/src/stdio/getdelim.c
> > > > @@ -27,7 +27,7 @@ ssize_t getdelim(char **restrict s, size_t *restrict n, int delim, FILE *restric
> > > > for (;;) {
> > > > z = memchr(f->rpos, delim, f->rend - f->rpos);
> > > > k = z ? z - f->rpos + 1 : f->rend - f->rpos;
> > > > - if (i+k >= *n) {
> > > > + if (i+k+1 >= *n) {
> > > > if (k >= SIZE_MAX/2-i) goto oom;
> > > > *n = i+k+2;
> > > > if (*n < SIZE_MAX/4) *n *= 2;
> > > > --
> > > > 2.4.9
> > >
> > > I think you're mistaken. i+k is the space needed so far in the buffer
> > > (not counting the terminating null byte) and *n is the usable space.
> > > The equality case of the i+k >= *n conditional covers the need to
> > > expand the buffer when the new content of length k would exactly fit
> > > but would not leave room for null termination.
> > >
> > > Just to make sure I wrote a quick test program, which I've attached,
> > > that should crash in free if the overflow occurs. It does not crash
> > > and the output demonstrates correct resizing.
> >
> > Thanks for the test program!
> >
> > I did not see the 'if (z) break;'. The off-by-one should only occur
> > when memchr returns 0 but the byte from getc_unlocked is the delimiter.
> > (This makes it not so easy to observe the bug.)
>
> Are you saying you still think there is a bug, that's only triggered
> when the byte from getc_unlocked causes the loop to break? I'll have
> to review that but it seems plausible. Do you have any ideas for
> adapting the test program to check this case?
Never mind; I can produce the expected crash just by adding
setbuf(f,0) right after the file is opened.
Rich
next prev parent reply other threads:[~2015-10-25 0:32 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-24 20:43 Felix Janda
2015-10-24 21:36 ` Rich Felker
2015-10-24 22:25 ` Felix Janda
2015-10-24 23:35 ` Rich Felker
2015-10-25 0:32 ` Rich Felker [this message]
2015-10-25 6:18 ` Felix Janda
2018-09-16 18:25 ` Rich Felker
2018-09-16 18:34 ` Rich Felker
2018-09-16 23:32 ` Rich Felker
2018-09-17 2:01 ` Rich Felker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151025003202.GA8645@brightrain.aerifal.cx \
--to=dalias@libc.org \
--cc=musl@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).