From owner-svn-src-all@freebsd.org Wed Aug 1 18:45:34 2018 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B50DD10660D8; Wed, 1 Aug 2018 18:45:34 +0000 (UTC) (envelope-from markj@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 68E2782131; Wed, 1 Aug 2018 18:45:34 +0000 (UTC) (envelope-from markj@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 302AB265C6; Wed, 1 Aug 2018 18:45:34 +0000 (UTC) (envelope-from markj@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w71IjYU0022244; Wed, 1 Aug 2018 18:45:34 GMT (envelope-from markj@FreeBSD.org) Received: (from markj@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id w71IjYvM022243; Wed, 1 Aug 2018 18:45:34 GMT (envelope-from markj@FreeBSD.org) Message-Id: <201808011845.w71IjYvM022243@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: markj set sender to markj@FreeBSD.org using -f From: Mark Johnston Date: Wed, 1 Aug 2018 18:45:34 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r337050 - head/usr.sbin/newsyslog X-SVN-Group: head X-SVN-Commit-Author: markj X-SVN-Commit-Paths: head/usr.sbin/newsyslog X-SVN-Commit-Revision: 337050 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Aug 2018 18:45:35 -0000 Author: markj Date: Wed Aug 1 18:45:33 2018 New Revision: 337050 URL: https://svnweb.freebsd.org/changeset/base/337050 Log: Don't hard-code the number of compression utility arguments. The zstd invocation constructed by newsyslog contains one more parameter than invocations for the other supported compression utilities. However, the maximum number of arguments was hard-coded, leading to an out-of-bounds array access when using zstd compression. Modified: head/usr.sbin/newsyslog/newsyslog.c Modified: head/usr.sbin/newsyslog/newsyslog.c ============================================================================== --- head/usr.sbin/newsyslog/newsyslog.c Wed Aug 1 18:41:43 2018 (r337049) +++ head/usr.sbin/newsyslog/newsyslog.c Wed Aug 1 18:45:33 2018 (r337050) @@ -153,23 +153,24 @@ struct compress_types { const char *suffix; /* Compression suffix */ const char *path; /* Path to compression program */ char **args; /* Compression program arguments */ + int nargs; /* Program argument count */ }; static char f_arg[] = "-f"; static char q_arg[] = "-q"; static char rm_arg[] = "--rm"; -static char *gz_args[] ={ NULL, f_arg, NULL, NULL }; -#define bzip2_args gz_args +static char *gz_args[] = { NULL, f_arg, NULL, NULL }; +#define bz2_args gz_args #define xz_args gz_args static char *zstd_args[] = { NULL, q_arg, rm_arg, NULL, NULL }; -#define ARGS_NUM 4 +#define ARGS_NUM 5 static const struct compress_types compress_type[COMPRESS_TYPES] = { - { "", "", "", NULL}, /* none */ - { "Z", COMPRESS_SUFFIX_GZ, _PATH_GZIP, gz_args}, /* gzip */ - { "J", COMPRESS_SUFFIX_BZ2, _PATH_BZIP2, bzip2_args}, /* bzip2 */ - { "X", COMPRESS_SUFFIX_XZ, _PATH_XZ, xz_args }, /* xz */ - { "Y", COMPRESS_SUFFIX_ZST, _PATH_ZSTD, zstd_args } /* zst */ + { "", "", "", NULL, 0}, + { "Z", COMPRESS_SUFFIX_GZ, _PATH_GZIP, gz_args, nitems(gz_args) }, + { "J", COMPRESS_SUFFIX_BZ2, _PATH_BZIP2, bz2_args, nitems(bz2_args) }, + { "X", COMPRESS_SUFFIX_XZ, _PATH_XZ, xz_args, nitems(xz_args) }, + { "Y", COMPRESS_SUFFIX_ZST, _PATH_ZSTD, zstd_args, nitems(zstd_args) } }; struct conf_entry { @@ -2027,23 +2028,24 @@ do_zipwork(struct zipwork_entry *zwork) char zresult[MAXPATHLEN]; char command[BUFSIZ]; char **args; - int c, i; + int c, i, nargs; assert(zwork != NULL); pgm_path = NULL; strlcpy(zresult, zwork->zw_fname, sizeof(zresult)); - args = calloc(ARGS_NUM, sizeof(*args)); - if (args == NULL) - err(1, "calloc()"); if (zwork->zw_conf != NULL && zwork->zw_conf->compress > COMPRESS_NONE) for (c = 1; c < COMPRESS_TYPES; c++) { if (zwork->zw_conf->compress == c) { + nargs = compress_type[c].nargs; + args = calloc(nargs, sizeof(*args)); + if (args == NULL) + err(1, "calloc()"); pgm_path = compress_type[c].path; (void) strlcat(zresult, compress_type[c].suffix, sizeof(zresult)); /* the first argument is always NULL, skip it */ - for (i = 1; i < ARGS_NUM; i++) { + for (i = 1; i < nargs; i++) { if (compress_type[c].args[i] == NULL) break; args[i] = compress_type[c].args[i];