[LTP] [patch 1/4] fix potential overflow in umount01.c, spotted by _FORTIFY_SOURCE=2

Tue, 26 Aug 2008 05:02:47 -0700 

Hi,
References: <[EMAIL PROTECTED]>
Content-Disposition: inline; filename=fix-compiler-warning-umount01.diff

Unintended truncating of string length could cause potential overflow, which got
spotted by GCC with _FORTIFY_SOURCE=2.

Note the difference:
malloc(strlen(fstype + 1)) != malloc(strlen(fstype) + 1)

I guess this was not intended?

Also valgrind detected  this issue:
[...]
==20899== Invalid write of size 4
==20899==    at 0x401A1E: main (umount01.c:139)
==20899==  Address 0x4d64078 is 0 bytes inside a block of size 3 alloc'd
==20899==    at 0x4A1FDEB: malloc (in 
/usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==20899==    by 0x4019D1: main (umount01.c:133)
==20899== 
==20899== Syscall param mount(type) points to unaddressable byte(s)
==20899==    at 0x4BE4E7A: mount (in /lib64/libc-2.4.so)
==20899==    by 0x401A9C: main (umount01.c:159)
==20899==  Address 0x4d6407b is 0 bytes after a block of size 3 alloc'd
==20899==    at 0x4A1FDEB: malloc (in 
/usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==20899==    by 0x4019D1: main (umount01.c:133)
[...]

Fix: Replaced wrong use of malloc/strncpy with simple strdup().

Tested fix on SLES 10 SP2:
:~/ltp/ltp-full-20080825/:[0]# ./testcases/kernel/syscalls/umount/umount01 -D 
/dev/sda1
umount01    1  PASS  :  umount(2) Passed 


Signed-off-by: Daniel Gollub <[EMAIL PROTECTED]>

---
 testcases/kernel/syscalls/umount/umount01.c |    7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

Index: ltp-full-20080825/testcases/kernel/syscalls/umount/umount01.c
===================================================================
--- ltp-full-20080825.orig/testcases/kernel/syscalls/umount/umount01.c
+++ ltp-full-20080825/testcases/kernel/syscalls/umount/umount01.c
@@ -121,22 +121,19 @@ main(int ac, char **av)
        }
 
        if (Tflag == 1) {
-               Fstype = (char *) malloc(strlen(fstype + 1));
+               Fstype = strdup(fstype);
                if(Fstype == NULL) {
                        tst_brkm(TBROK, NULL, "malloc - failed to alloc %d"
                                "errno %d", strlen(fstype), errno);
                        tst_exit();
                }
-
-               strncpy(Fstype, fstype, strlen(fstype));
        } else {
-               Fstype = (char *) malloc(strlen(DEFAULT_FSTYPE + 1));
+               Fstype = strdup(DEFAULT_FSTYPE);
                if(Fstype == NULL) {
                        tst_brkm(TBROK, NULL, "malloc - failed to alloc %d"
                                "errno %d", strlen(DEFAULT_FSTYPE), errno);
                        tst_exit();
                }
-               strncpy(Fstype, DEFAULT_FSTYPE, strlen(DEFAULT_FSTYPE));
        }
 
        if (STD_COPIES != 1) {


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Ltp-list mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/ltp-list

Reply via email to