kbmap: fix sprint() buffer overflow (thanks silasm)
A buffer can be overflowed in the init function of kbmap.c by using a filename of more than 112 characters. sample output: % cd /sys/lib/kbmap % touch aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa % kbmap kbmap 1974: suicide: sys: trap: fault write addr=0xa6a96510 pc=0x000011df offending code is most likely the call to sprint in the init function of /sys/src/cmd/kbmap.c, which in this case writes /sys/lib/kbmap/$file to a 128-bit buffer. I'm willing to submit a patch for this myself along with a few minor improvements/fixes to kbmap if I can figure out the nuances of doing so. --silasm
This commit is contained in:
cinap_lenrek
parent
ffa761beae
commit
86e63c36ed
1 changed files with 2 additions and 3 deletions
|
|
@ -64,7 +64,6 @@ init(void)
|
||||||
{
|
{
|
||||||
int i, fd, nr;
|
int i, fd, nr;
|
||||||
Dir *pd;
|
Dir *pd;
|
||||||
char buf[128];
|
|
||||||
|
|
||||||
if((fd = open(dir, OREAD)) < 0)
|
if((fd = open(dir, OREAD)) < 0)
|
||||||
return;
|
return;
|
||||||
|
|
@ -72,8 +71,8 @@ init(void)
|
||||||
nmap = nr = dirreadall(fd, &pd);
|
nmap = nr = dirreadall(fd, &pd);
|
||||||
map = emalloc(nr * sizeof(KbMap));
|
map = emalloc(nr * sizeof(KbMap));
|
||||||
for(i=0; i<nr; i++){
|
for(i=0; i<nr; i++){
|
||||||
sprint(buf, "%s/%s", dir, pd[i].name);
|
map[i].file = emalloc(strlen(dir) + strlen(pd[i].name) + 2);
|
||||||
map[i].file = estrdup(buf);
|
sprint(map[i].file, "%s/%s", dir, pd[i].name);
|
||||||
map[i].name = estrdup(pd[i].name);
|
map[i].name = estrdup(pd[i].name);
|
||||||
map[i].current = 0;
|
map[i].current = 0;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue