|
From: | Jacob Bachmeyer |
Subject: | Re: [Bug-dejagnu] BUG: improper format string construction in framework.exp |
Date: | Sun, 28 Oct 2018 19:52:55 -0500 |
User-agent: | Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.22) Gecko/20090807 MultiZilla/1.8.3.4e SeaMonkey/1.1.17 Mnenhy/0.7.6.0 |
Ben Elliston wrote:
On Sat, Oct 27, 2018 at 11:48:08PM -0500, Jacob Bachmeyer wrote:A message that contains a '%' character will cause Tcl to raise an error at the format in record_test in lib/framework.exp on line 803 as of commit 81651abb04defb181f9c98bfcc55e077dcaea452. This is a "classic" format string vulnerability, except that Tcl catches it and raises an error.Thanks!
Oops... I have since realized that the patch in my previous message was subtly wrong -- it reversed the order of the pass name and message. I did not notice because I had not actually looked at the test log -- the program I use for summarizing the log keys off of the "Running pass" messages instead and only counts passes/fails/etc. for a nice summary table. /Mea culpa/; here is a corrected patch.
corrected patch: (also relative to commit 81651abb04defb181f9c98bfcc55e077dcaea452)
diff --git a/lib/framework.exp b/lib/framework.exp index 6cb93c5..50ac757 100644 --- a/lib/framework.exp +++ b/lib/framework.exp @@ -800,7 +800,7 @@ proc record_test { type message args } { global multipass_name if { $multipass_name != "" } { - set message [format "$type: %s: $message" "$multipass_name"] + set message [format "%s: %s: %s" "$type" "$multipass_name" "$message"] } else { set message "$type: $message" } -- Yours sheepishly, Jacob
[Prev in Thread] | Current Thread | [Next in Thread] |