tcp_emu: fix unsafe snprintf() usages (68ccb802) · Commits · slirp / libslirp

Commit 68ccb802 authored Jan 27, 2020 by Marc-André Lureau

tcp_emu: fix unsafe snprintf() usages

Various calls to snprintf() assume that snprintf() returns "only" the
number of bytes written (excluding terminating NUL).

https://pubs.opengroup.org/onlinepubs/9699919799/functions/snprintf.html#tag_16_159_04

"Upon successful completion, the snprintf() function shall return the
number of bytes that would be written to s had n been sufficiently
large excluding the terminating null byte."

Before patch ce131029, if there isn't enough room in "m_data" for the
"DCC ..." message, we overflow "m_data".

After the patch, if there isn't enough room for the same, we don't
overflow "m_data", but we set "m_len" out-of-bounds. The next time an
access is bounded by "m_len", we'll have a buffer overflow then.

Use slirp_fmt*() to fix potential OOB memory access.

Reported-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Message-Id: <20200127092414.169796-7-marcandre.lureau@redhat.com>

parent c8ee10e2

Pipeline #101689 passed with stage

in 1 minute and 20 seconds

Hide whitespace changes

Inline Side-by-side

Please register or to comment

Admin message

tcp_emu: fix unsafe snprintf() usages