Date: Thu, 18 Nov 2010 01:56:50 GMT From: Mateusz Guzik <mjguzik@gmail.com> To: freebsd-gnats-submit@FreeBSD.org Subject: bin/152345: truss writes one byte past the buffer if it is not null-terminated Message-ID: <201011180156.oAI1uoeM040149@www.freebsd.org> Resent-Message-ID: <201011180200.oAI20Vpw074584@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 152345 >Category: bin >Synopsis: truss writes one byte past the buffer if it is not null-terminated >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Nov 18 02:00:31 UTC 2010 >Closed-Date: >Last-Modified: >Originator: Mateusz Guzik >Release: 9.0-CURRENT >Organization: >Environment: FreeBSD lap 9.0-CURRENT FreeBSD 9.0-CURRENT #11 r213950+82afb7e: Sun Oct 17 16:57:50 CEST 2010 f@aa:/usr/obj/srv/repos/freebsd/sys/LAP amd64 >Description: When copying buffers filled by syscalls, truss does the following (syscalls.c: get_string()) buf = malloc(totalsize); Later, if buf is not null-terminated truss writes past the buffer: buf[totalsize] = '\0'; And if buf[totalsize - 1] is not 0, one-byte garbage is printed along with expected data. >How-To-Repeat: Download and compile http://student.agh.edu.pl/~mjguzik/truss_garbage.c . It will try to readlink(2) symlink 'foo' to a buffer filled with 0xFF. $ ln -s bar foo $ truss ./a.out 2>&1 | grep readlink readlink("foo","bar˙",1025) = 3 (0x3) >Fix: See http://student.agh.edu.pl/~mjguzik/truss_garbage.patch >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201011180156.oAI1uoeM040149>