Uploaded image for project: 'CFEngine Community'
  1. CFEngine Community
  2. CFE-1806

LogRaw corrupts the stack when passed corrupted buflen

    XMLWordPrintable

    Details

    • Type: Task
    • Status: Done
    • Priority: High
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.6.x
    • Component/s: None
    • Labels:
      None
    • Platform:
      Linux

      Description

      <pre>
      (gdb) bt full
      #0 0x00007ffff7b6d5f4 in LogRaw (level=LOG_LEVEL_DEBUG, prefix=0x7ffff7ba6876 "ReceiveTransaction header: ", buf=0x7ffff3720500, buflen=18446744073709551609) at logging.c:268
      i = 37395
      #1 0x2e2e2e2e2e402e2e in ?? ()
      No symbol table info available.
      #2 0x2e2e2e2e2e412e2e in ?? ()
      No symbol table info available.
      #3 0x2e2e2e2e2e612e2e in ?? ()
      No symbol table info available.
      #4 0x2e2e2e2e2e72662e in ?? ()
      No symbol table info available.
      #5 0x2e2e2e2e2e2e2e2e in ?? ()
      No symbol table info available.
      </pre>

      The current version of the code does not guard against crazy values, e.g. in the previous backtrace the value of buflen is 18446744073709551609. As a result the function corrupts all the stack and gdb backtraces are unusable.

      <pre>
      void LogRaw(LogLevel level, const char *prefix, const void *buf, size_t buflen)
      {
      /* Translate non printable characters to printable ones. */
      const unsigned char *src = (const unsigned char *) buf;
      unsigned char dst[buflen+1];
      size_t i;

      for (i = 0; i < buflen; i++)

      { dst[i] = isprint(src[i]) ? src[i] : '.'; }

      dst[i] = '\0';

      /* And Log the translated buffer, which is now a valid string. */
      Log(level, "%s%s", prefix, dst);
      }
      </pre>

        Attachments

          Activity

            People

            • Assignee:
              a10038 jimis (Dimitrios Apostolou)
              Reporter:
              a10038 jimis (Dimitrios Apostolou)
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Summary Panel