[Reproducible-commits] [dpkg] 15/25: s-s-d: Fix off-by-one stack buffer overrun on GNU/Linux and GNU/kFreeBSD
Holger Levsen
holger at layer-acht.org
Tue May 3 08:43:55 UTC 2016
This is an automated email from the git hooks/post-receive script.
holger pushed a commit to annotated tag 1.16.16
in repository dpkg.
commit 019a62ac5f047fa9dbe5f8597faedfacdba84e6b
Author: Guillem Jover <guillem at debian.org>
Date: Mon Apr 28 22:15:58 2014 +0200
s-s-d: Fix off-by-one stack buffer overrun on GNU/Linux and GNU/kFreeBSD
Cherry picked from commit 00e2aadcdc9d86655963df13068afd85eca2ed83.
This might happen if the executable pathname is longer than
_POSIX_PATH_MAX. Although this should not have security implications
as the buffer is surrounded by two arrays (so those catch accesses
even if the stack grows up or down), and we are compiling with
-fstack-protector anyway.
We just need to always leave room for the final NUL character.
Warned-by: coverity
---
debian/changelog | 5 +++++
utils/start-stop-daemon.c | 4 ++--
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 930ffe6..472c608 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -14,6 +14,11 @@ dpkg (1.16.15+nmu1) UNRELEASED; urgency=low
Closes: #751021
* Fix a descriptor leak on dselect subprocesses when --debug is used.
* Do not run qsort() over the scandir() list in libcompat if it is NULL.
+ * Fix off-by-one stack buffer overrun in start-stop-daemon on GNU/Linux and
+ GNU/kFreeBSD if the executable pathname is longer than _POSIX_PATH_MAX.
+ Although this should not have security implications as the buffer is
+ surrounded by two arrays (so those catch accesses even if the stack
+ grows up or down), and we are compiling with -fstack-protector anyway.
[ Updated scripts translations ]
* Fix typos in German (Helge Kreutzmann)
diff --git a/utils/start-stop-daemon.c b/utils/start-stop-daemon.c
index 818d7eb..11afbaf 100644
--- a/utils/start-stop-daemon.c
+++ b/utils/start-stop-daemon.c
@@ -1021,13 +1021,13 @@ static bool
pid_is_exec(pid_t pid, const struct stat *esb)
{
char lname[32];
- char lcontents[_POSIX_PATH_MAX];
+ char lcontents[_POSIX_PATH_MAX + 1];
const char deleted[] = " (deleted)";
int nread;
struct stat sb;
sprintf(lname, "/proc/%d/exe", pid);
- nread = readlink(lname, lcontents, sizeof(lcontents));
+ nread = readlink(lname, lcontents, sizeof(lcontents) - 1);
if (nread == -1)
return false;
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/reproducible/dpkg.git
More information about the Reproducible-commits
mailing list