diff options
Diffstat (limited to 'main/strongswan/0401-printf-hook-builtin-Fix-invalid-memory-access.patch')
| -rw-r--r-- | main/strongswan/0401-printf-hook-builtin-Fix-invalid-memory-access.patch | 68 |
1 files changed, 68 insertions, 0 deletions
diff --git a/main/strongswan/0401-printf-hook-builtin-Fix-invalid-memory-access.patch b/main/strongswan/0401-printf-hook-builtin-Fix-invalid-memory-access.patch new file mode 100644 index 0000000000..630151b406 --- /dev/null +++ b/main/strongswan/0401-printf-hook-builtin-Fix-invalid-memory-access.patch @@ -0,0 +1,68 @@ +From 944e99d57243fb42ccb2be475c8386a0c4c116f4 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Mon, 27 Jul 2015 11:18:53 +0200 +Subject: [PATCH] printf-hook-builtin: Fix invalid memory access + +When precision is given for a string, we must not run unbounded +strlen() as it will read beyond the given length. It might even cause +a crash if the given pointer is near end of heap or mapping. + +Fixes numerous valgrind errors such as: + +==19215== Invalid read of size 1 +==19215== at 0x52D36C6: builtin_vsnprintf (printf_hook_builtin.c:853) +==19215== by 0x52D40A8: builtin_snprintf (printf_hook_builtin.c:1084) +==19215== by 0x52CE464: dntoa (identification.c:337) +==19215== by 0x52CE464: identification_printf_hook (identification.c:837) +==19215== by 0x52D3DAA: builtin_vsnprintf (printf_hook_builtin.c:1010) +==19215== by 0x57040EB: vlog (bus.c:388) +==19215== by 0x570427D: log_ (bus.c:430) +==19215== by 0xA8445D3: load_x509_ca (stroke_cred.c:416) +==19215== by 0xA8445D3: load_certdir (stroke_cred.c:537) +==19215== by 0xA846A95: load_certs (stroke_cred.c:1353) +==19215== by 0xA846A95: stroke_cred_create (stroke_cred.c:1475) +==19215== by 0xA84073E: stroke_socket_create (stroke_socket.c:782) +==19215== by 0xA83F27C: register_stroke (stroke_plugin.c:53) +==19215== by 0x52C3125: load_feature (plugin_loader.c:716) +==19215== by 0x52C3125: load_provided (plugin_loader.c:778) +==19215== by 0x52C3A20: load_features (plugin_loader.c:799) +==19215== by 0x52C3A20: load_plugins (plugin_loader.c:1159) +==19215== Address 0x50cdb42 is 0 bytes after a block of size 2 alloc'd +==19215== at 0x4C919FE: malloc (vg_replace_malloc.c:296) +==19215== by 0x52CD198: chunk_printable (chunk.c:759) +==19215== by 0x52CE442: dntoa (identification.c:334) +==19215== by 0x52CE442: identification_printf_hook (identification.c:837) +==19215== by 0x52D3DAA: builtin_vsnprintf (printf_hook_builtin.c:1010) +==19215== by 0x57040EB: vlog (bus.c:388) +==19215== by 0x570427D: log_ (bus.c:430) +==19215== by 0xA8445D3: load_x509_ca (stroke_cred.c:416) +==19215== by 0xA8445D3: load_certdir (stroke_cred.c:537) +==19215== by 0xA846A95: load_certs (stroke_cred.c:1353) +==19215== by 0xA846A95: stroke_cred_create (stroke_cred.c:1475) +==19215== by 0xA84073E: stroke_socket_create (stroke_socket.c:782) +==19215== by 0xA83F27C: register_stroke (stroke_plugin.c:53) +==19215== by 0x52C3125: load_feature (plugin_loader.c:716) +==19215== by 0x52C3125: load_provided (plugin_loader.c:778) +==19215== by 0x52C3A20: load_features (plugin_loader.c:799) +==19215== by 0x52C3A20: load_plugins (plugin_loader.c:1159) +--- + src/libstrongswan/utils/printf_hook/printf_hook_builtin.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/libstrongswan/utils/printf_hook/printf_hook_builtin.c b/src/libstrongswan/utils/printf_hook/printf_hook_builtin.c +index 466c673..af54940 100644 +--- a/src/libstrongswan/utils/printf_hook/printf_hook_builtin.c ++++ b/src/libstrongswan/utils/printf_hook/printf_hook_builtin.c +@@ -843,7 +843,8 @@ int builtin_vsnprintf(char *buffer, size_t n, const char *format, va_list ap) + /* String */ + sarg = va_arg(ap, const char *); + sarg = sarg ? sarg : "(null)"; +- slen = strlen(sarg); ++ slen = prec != -1 ? strnlen(sarg, prec) ++ : strlen(sarg); + goto is_string; + } + case 'm': +-- +2.4.6 + |