[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Bug w/ gawk tat extension
From: |
Aharon Robbins |
Subject: |
Re: Bug w/ gawk tat extension |
Date: |
Mon, 20 Jun 2005 22:56:42 +0300 |
Thanks for the fix. I'll get it in for the next release.
Arnold
> Date: Fri, 17 Jun 2005 14:35:13 -0600 (MDT)
> From: Glenn Zazulia <address@hidden>
> Subject: Bug w/ gawk tat extension
> To: address@hidden
> Cc: address@hidden
>
> Hello,
>
> I noticed a bug with the readlink() call in extension/filefuncs.c when
> stat()ing a symlink. Notice that the code does not check the return
> value. When readlink() fails, the return value is set to -1, of course,
> and that value is used as an array offset a few lines later, corrupting
> the stack and ultimately causing a SEGV abort.
>
> Example filesystem symlinks that cause readlink() to fail can be found
> in the /proc filesystem on Linux systems (at least on the various RedHat
> versions that I've tested, such as 8 & 9). In particular, look for the
> low-numbered kernel process, such as /proc/10/exe.
>
> Since this bug occurs just in the sample extension code, it's probably
> not considered especially serious, but I thought I'd report it anyway.
> Please see below for a sample patch...
>
> Glenn Zazulia
> address@hidden
>
> --
>
> --- filefuncs.c 2004-06-21 08:05:51.000000000 -0600
> +++ filefuncs.new.c 2005-06-17 14:23:39.000000000 -0600
> @@ -260,14 +260,15 @@
> char buf[BUFSIZ*2];
> int linksize;
>
> - linksize = readlink(file->stptr, buf, sizeof buf);
> - /* should make this smarter */
> - if (linksize == sizeof(buf))
> - fatal("size of symbolic link too big");
> - buf[linksize] = '\0';
> -
> - aptr = assoc_lookup(array, tmp_string("linkval", 7), FALSE);
> - *aptr = make_string(buf, linksize);
> + if ((linksize = readlink(file->stptr, buf, sizeof buf)) >= 0) {
> + /* should make this smarter */
> + if (linksize >= sizeof(buf))
> + fatal("size of symbolic link too big");
> + buf[linksize] = '\0';
> +
> + aptr = assoc_lookup(array, tmp_string("linkval", 7), FALSE);
> + *aptr = make_string(buf, linksize);
> + }
> }
>
> /* add a type field */