kbmap: fix sprint() buffer overflow (thanks silasm)
A buffer can be overflowed in the init function of kbmap.c by using a filename of more than 112 characters. sample output: % cd /sys/lib/kbmap % touch aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa % kbmap kbmap 1974: suicide: sys: trap: fault write addr=0xa6a96510 pc=0x000011df offending code is most likely the call to sprint in the init function of /sys/src/cmd/kbmap.c, which in this case writes /sys/lib/kbmap/$file to a 128-bit buffer. I'm willing to submit a patch for this myself along with a few minor improvements/fixes to kbmap if I can figure out the nuances of doing so. --silasm
This commit is contained in:
cinap_lenrek
parent
ffa761beae
commit
86e63c36ed
1 changed files with 2 additions and 3 deletions
|
|
@ -64,7 +64,6 @@ init(void)
|
|||
{
|
||||
int i, fd, nr;
|
||||
Dir *pd;
|
||||
char buf[128];
|
||||
|
||||
if((fd = open(dir, OREAD)) < 0)
|
||||
return;
|
||||
|
|
@ -72,8 +71,8 @@ init(void)
|
|||
nmap = nr = dirreadall(fd, &pd);
|
||||
map = emalloc(nr * sizeof(KbMap));
|
||||
for(i=0; i<nr; i++){
|
||||
sprint(buf, "%s/%s", dir, pd[i].name);
|
||||
map[i].file = estrdup(buf);
|
||||
map[i].file = emalloc(strlen(dir) + strlen(pd[i].name) + 2);
|
||||
sprint(map[i].file, "%s/%s", dir, pd[i].name);
|
||||
map[i].name = estrdup(pd[i].name);
|
||||
map[i].current = 0;
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue