diff options
author | cem <cem@FreeBSD.org> | 2016-05-11 15:31:31 +0000 |
---|---|---|
committer | cem <cem@FreeBSD.org> | 2016-05-11 15:31:31 +0000 |
commit | 980da549c8eab5dd9d45311367f76355ee3e01a6 (patch) | |
tree | bac7f66785d7ff37beedc6810468083ed738c80c /usr.bin/gcore | |
parent | c1c72529c87f6bd10669894317ec3b2240ec14c3 (diff) | |
download | FreeBSD-src-980da549c8eab5dd9d45311367f76355ee3e01a6.zip FreeBSD-src-980da549c8eab5dd9d45311367f76355ee3e01a6.tar.gz |
Fix buffer overrun in gcore(1) NT_PRPSINFO
Use size of destination buffer, rather than a constant that may or may not
correspond to the source buffer, to restrict the length of copied strings. In
particular, pr_fname has 16+1 characters but MAXCOMLEN is 18+1.
Use strlcpy instead of strncpy to ensure the result is nul-terminated. This
seems to be what is expected of these fields.
Reported by: Coverity
CIDs: 1011302, 1011378
Sponsored by: EMC / Isilon Storage Division
Diffstat (limited to 'usr.bin/gcore')
-rw-r--r-- | usr.bin/gcore/elfcore.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/usr.bin/gcore/elfcore.c b/usr.bin/gcore/elfcore.c index 2d1acb8..c96e3ae 100644 --- a/usr.bin/gcore/elfcore.c +++ b/usr.bin/gcore/elfcore.c @@ -560,8 +560,8 @@ elf_note_prpsinfo(void *arg, size_t *sizep) err(1, "kern.proc.pid.%u", pid); if (kip.ki_pid != pid) err(1, "kern.proc.pid.%u", pid); - strncpy(psinfo->pr_fname, kip.ki_comm, MAXCOMLEN); - strncpy(psinfo->pr_psargs, psinfo->pr_fname, PRARGSZ); + strlcpy(psinfo->pr_fname, kip.ki_comm, sizeof(psinfo->pr_fname)); + strlcpy(psinfo->pr_psargs, psinfo->pr_fname, sizeof(psinfo->pr_psargs)); *sizep = sizeof(*psinfo); return (psinfo); |