Red Hat Bugzilla – Bug 469495
procps string size issue
Last modified: 2010-03-30 04:06:42 EDT
Description of problem: proc/devname.c has an array that is 4 characters wide that is trying to hold strings that are 5 bytes wide, like "AM12". I will attach a patch fixing this. Version-Release number of selected component (if applicable): 3.2.7 Additional Info: fedora has the same problem.
Created attachment 322171 [details] patch fixing problems described herein This patch widens the strings so they have the NUL terminator. Please apply to RHEL when the opportunity hits and to Fedora at first chance. Thanks!
thanks for the patch, cloned this to Fedora (bug #498182)
Not a bug. This is one of the differences between C and C++. The strings are in fact exactly the size requested. Unlike a C++ compiler, a C compiler will respect the programmer's wishes. The "strings" are of course lacking the typical NUL byte in some cases. This is correctly handled by the code.
Is a bug. :) Try this simple test: #include <stdio.h> #include <string.h> int main(void) { char array[3][4] = { "123", "4567", "890" }; int i; for (i=0; i<3; i++) printf("string %d, \"%s\", len=%d\n", i, array[i], strlen(array[i])); return 0; } This is what you get: ./test string 0, "123", len=3 string 1, "4567890", len=7 string 2, "890", len=3
This is where the array gets used: if(min >= sizeof low_density_names / sizeof low_density_names[0]) return 0; sprintf(buf, "/dev/tty%s", low_density_names[min]); If the sprintf had something like %.3s as the format specifier, it would handle the string overrun correctly. This goes into a buffer, tmp that is TTY_NAME_SIZE, which is 128 bytes. So there is no security issue here. The issue is that some of the names are unusable due to the string size issue. The names AM10 - 15 and SMX0 - 3 would be affected.
(In reply to comment #5) > This is where the array gets used: > > if(min >= sizeof low_density_names / sizeof low_density_names[0]) return 0; > sprintf(buf, "/dev/tty%s", low_density_names[min]); I thought 3.2.7 had the current (in CVS) code, but it doesn't. Somehow this change didn't get into the 3.2.8 release notes. The current code uses memcpy.
fixed in procps-3.2.7-12.el5
hello Steve, is there an reproducer of the bug available, in order to test the erratum?
You would need to have a system that has "Low-density serial ports" dev major 204 and run a program that would report the dev name. You would need to be on one of the following devices: "AM10", "AM11", "AM12", "AM13", "AM14", "AM15", "SMX0", "SMX1", "SMX2". Hope this helps...
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2010-0200.html