Date: Thu, 28 Aug 1997 14:11:19 +1000 (EST) From: Andrew Cagney <cagney@tpgi.com.au> To: FreeBSD-gnats-submit@FreeBSD.ORG Subject: bin/4403: vasprintf (3) corrupts memory Message-ID: <199708280411.OAA15671@b1.tpgi.com.au> Resent-Message-ID: <199708280500.WAA07844@hub.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 4403 >Category: bin >Synopsis: vasprintf (3) corrupts memory >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Aug 27 22:00:00 PDT 1997 >Last-Modified: >Originator: Andrew Cagney >Organization: >Release: FreeBSD 2.1.7-RELEASE i386 >Environment: Probably also in FreeBSD 2.2.2. >Description: vasprintf.c:vasprintf() unconditionally appends a null character to its buffer. Since vasprintf.c:writehook() allows the buffer to completely fill (left == 0), that store can blat memory beyound the buffers bounds. >How-To-Repeat: Combine FreeBSD with GDB/mmalloc and wait for gdb to panic? I suspect vasprintf (... "-128-characters-") will do it. >Fix: 1 - Change writehook() to always keep one location in reserve. or 2 - (better?) re-order the tail of vasprintf so that it reads: *str = realloc(h.base, (size_t)(h.size - h.left + 1)); if (*str == NULL) /* failed to realloc it to actual size */ *str = h.base; /* return oversize buffer */ (*str)[h.size - h.left] = '\0'; return (ret); >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199708280411.OAA15671>