This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 556678 - Buffer too small, error prone coding
Buffer too small, error prone coding
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: strace (Show other bugs)
12
All Linux
low Severity medium
: ---
: ---
Assigned To: Andreas Schwab
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-01-18 22:05 EST by JW
Modified: 2010-05-27 14:35 EDT (History)
3 users (show)

See Also:
Fixed In Version: strace-4.5.20-1.fc13
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-05-27 14:35:24 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Patch to prevent stack buffer overflow (840 bytes, patch)
2010-01-18 22:05 EST, JW
no flags Details | Diff

  None (edit)
Description JW 2010-01-18 22:05:47 EST
Created attachment 385305 [details]
Patch to prevent stack buffer overflow

Description of problem:
One of the buffers is too small, and coding is inherently unsafe

Version-Release number of selected component (if applicable):
strace-4.5.19-1

How reproducible:
Always

Steps to Reproduce:
1. see patch
  
Actual results:


Expected results:


Additional info:
Generally it is always code defensively and use snprintf rather than sprintf especially when using buffers on the stack(!), and also to ensure that literal constants don't have to be repeated (and match) in different places, eg:
NEVER
> char str[40];
> snprintf(str, 39, ...).
ALWAYS
> char str[40];
> snprintf(str, sizeof(str)-1, ...);

But in any case how can constructs such as sprintf() onto a fixed size buffer on the stack escape the attention of automatic bad-code detection tools. Wait ... you don't use such tools?. Shame!
Comment 1 Fedora Update System 2010-05-04 08:30:17 EDT
strace-4.5.20-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/strace-4.5.20-1.fc13
Comment 2 Fedora Update System 2010-05-05 03:18:04 EDT
strace-4.5.20-1.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update strace'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/strace-4.5.20-1.fc13
Comment 3 Fedora Update System 2010-05-27 14:35:14 EDT
strace-4.5.20-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.