bin/152345: truss writes one byte past the buffer if it is not
null-terminated
Mateusz Guzik
mjguzik at gmail.com
Thu Nov 18 02:00:31 UTC 2010
>Number: 152345
>Category: bin
>Synopsis: truss writes one byte past the buffer if it is not null-terminated
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Nov 18 02:00:31 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator: Mateusz Guzik
>Release: 9.0-CURRENT
>Organization:
>Environment:
FreeBSD lap 9.0-CURRENT FreeBSD 9.0-CURRENT #11 r213950+82afb7e: Sun Oct 17 16:57:50 CEST 2010 f at aa:/usr/obj/srv/repos/freebsd/sys/LAP amd64
>Description:
When copying buffers filled by syscalls, truss does the following (syscalls.c: get_string())
buf = malloc(totalsize);
Later, if buf is not null-terminated truss writes past the buffer:
buf[totalsize] = '\0';
And if buf[totalsize - 1] is not 0, one-byte garbage is printed along with expected data.
>How-To-Repeat:
Download and compile http://student.agh.edu.pl/~mjguzik/truss_garbage.c . It will try to readlink(2) symlink 'foo' to a buffer filled with 0xFF.
$ ln -s bar foo
$ truss ./a.out 2>&1 | grep readlink
readlink("foo","barÿ",1025) = 3 (0x3)
>Fix:
See http://student.agh.edu.pl/~mjguzik/truss_garbage.patch
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list