diff options
| author | cinap_lenrek <cinap_lenrek@felloff.net> | 2014-12-11 18:32:50 +0100 |
|---|---|---|
| committer | cinap_lenrek <cinap_lenrek@felloff.net> | 2014-12-11 18:32:50 +0100 |
| commit | 86e63c36eded29e46a17628264b73d743df9a864 (patch) | |
| tree | 400c2f92325a94911f1ff4227c043e8ecea0f9e7 /sys/src | |
| parent | ffa761beae76043ff7630bd45f68cb5ed08a93fa (diff) | |
kbmap: fix sprint() buffer overflow (thanks silasm)
A buffer can be overflowed in the init function of kbmap.c by using a filename of more than 112 characters.
sample output:
% cd /sys/lib/kbmap
% touch aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
% kbmap
kbmap 1974: suicide: sys: trap: fault write addr=0xa6a96510 pc=0x000011df
offending code is most likely the call to sprint in the init function of /sys/src/cmd/kbmap.c,
which in this case writes /sys/lib/kbmap/$file to a 128-bit buffer.
I'm willing to submit a patch for this myself along with a few minor improvements/fixes to kbmap
if I can figure out the nuances of doing so.
--silasm
Diffstat (limited to 'sys/src')
| -rw-r--r-- | sys/src/cmd/kbmap.c | 5 |
1 files changed, 2 insertions, 3 deletions
diff --git a/sys/src/cmd/kbmap.c b/sys/src/cmd/kbmap.c index 712c27e71..03f9a40da 100644 --- a/sys/src/cmd/kbmap.c +++ b/sys/src/cmd/kbmap.c @@ -64,7 +64,6 @@ init(void) { int i, fd, nr; Dir *pd; - char buf[128]; if((fd = open(dir, OREAD)) < 0) return; @@ -72,8 +71,8 @@ init(void) nmap = nr = dirreadall(fd, &pd); map = emalloc(nr * sizeof(KbMap)); for(i=0; i<nr; i++){ - sprint(buf, "%s/%s", dir, pd[i].name); - map[i].file = estrdup(buf); + map[i].file = emalloc(strlen(dir) + strlen(pd[i].name) + 2); + sprint(map[i].file, "%s/%s", dir, pd[i].name); map[i].name = estrdup(pd[i].name); map[i].current = 0; } |