Re: [PATCH] trace-cmd: prevent print_graph_duration buffer overflow

From: Valdis . Kletnieks
Date: Sun Jun 13 2010 - 16:53:14 EST


On Sun, 13 Jun 2010 13:11:48 EDT, Chase Douglas said:
> Passing n > sizeof(string) to snprintf can cause a glibc buffer overflow
> condition. We know the exact size of nsecs_str, so use it instead of
> math that may overflow.

> /* Print nsecs (we don't want to exceed 7 numbers) */
> if ((s->len - len) < 7) {
> - snprintf(nsecs_str, 8 - (s->len - len), "%03lu", nsecs_rem);
> + snprintf(nsecs_str, sizeof(nsecs_str), "%03lu", nsecs_rem);

We only get into this code after we've checked that the length is under 7
characters. How much overflow can happen as long as the sizeof(nsecs_str) is a
sane size (like at least 8 chars)? Probably a better bet would be doing the
right thing and 'BUILD_BUG_ON(sizeof(nsecs_str) < 8);'?

Attachment: pgp00000.pgp
Description: PGP signature