Re: [PATCH] trace-cmd: prevent print_graph_duration buffer overflow

From: Valdis . Kletnieks
Date: Sun Jun 13 2010 - 16:53:14 EST

Next message: Chris Clayton: "Re: Noticeable slow-down in 2.6.35-rc3"
Previous message: Eric Dumazet: "Re: mpd client timeouts (bisected) 2.6.35-rc3"
In reply to: Chase Douglas: "[PATCH] trace-cmd: prevent print_graph_duration buffer overflow"
Next in thread: Chase Douglas: "Re: [PATCH] trace-cmd: prevent print_graph_duration buffer overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, 13 Jun 2010 13:11:48 EDT, Chase Douglas said:
> Passing n > sizeof(string) to snprintf can cause a glibc buffer overflow
> condition. We know the exact size of nsecs_str, so use it instead of
> math that may overflow.

> /* Print nsecs (we don't want to exceed 7 numbers) */
> if ((s->len - len) < 7) {
> - snprintf(nsecs_str, 8 - (s->len - len), "%03lu", nsecs_rem);
> + snprintf(nsecs_str, sizeof(nsecs_str), "%03lu", nsecs_rem);

We only get into this code after we've checked that the length is under 7
characters. How much overflow can happen as long as the sizeof(nsecs_str) is a
sane size (like at least 8 chars)? Probably a better bet would be doing the
right thing and 'BUILD_BUG_ON(sizeof(nsecs_str) < 8);'?

Attachment: pgp00000.pgp
Description: PGP signature

Next message: Chris Clayton: "Re: Noticeable slow-down in 2.6.35-rc3"
Previous message: Eric Dumazet: "Re: mpd client timeouts (bisected) 2.6.35-rc3"
In reply to: Chase Douglas: "[PATCH] trace-cmd: prevent print_graph_duration buffer overflow"
Next in thread: Chase Douglas: "Re: [PATCH] trace-cmd: prevent print_graph_duration buffer overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]