diff options
author | ERAMOTO Masaya <eramoto.masaya@jp.fujitsu.com> | 2017-10-04 15:23:03 +0900 |
---|---|---|
committer | Luiz Augusto von Dentz <luiz.von.dentz@intel.com> | 2017-10-05 16:40:00 +0300 |
commit | 9e997ed2f528ff50e7394b33447a91937e939cf3 (patch) | |
tree | 94c6eefe56257e25c6fa5510b2968451c2edf6eb /monitor/main.c | |
parent | 42a83dbb0cfe4d9e1613a02dbe69eec242ee0aff (diff) | |
download | bluez-9e997ed2f528ff50e7394b33447a91937e939cf3.tar.gz |
monitor: Fix buffer overflow with unix socket
If btmon uses a unix socket, which has a long pathname, then the
buffer overflow occurs as below:
*** strcpy_chk: buffer overflow detected ***: program terminated
at 0x4C3085C: ??? (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x4C34E46: __strcpy_chk (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x4084FE: strcpy (string3.h:110)
by 0x4084FE: control_server (control.c:1148)
by 0x4029E9: main (main.c:144)
This patch also gives an error and stops running when parsing command-line
arguments if the unix socket pathname is too long. And this patch adds the
redundant check in control_server() to prevent the regression when reusing
in the future.
Diffstat (limited to 'monitor/main.c')
-rw-r--r-- | monitor/main.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/monitor/main.c b/monitor/main.c index b4e9a6ab9..3e61a4661 100644 --- a/monitor/main.c +++ b/monitor/main.c @@ -31,6 +31,7 @@ #include <stdlib.h> #include <string.h> #include <getopt.h> +#include <sys/un.h> #include "src/shared/mainloop.h" #include "src/shared/tty.h" @@ -114,6 +115,7 @@ int main(int argc, char *argv[]) for (;;) { int opt; + struct sockaddr_un addr; opt = getopt_long(argc, argv, "d:r:w:a:s:p:i:tTSAE:vh", main_options, NULL); @@ -141,6 +143,10 @@ int main(int argc, char *argv[]) analyze_path = optarg; break; case 's': + if (strlen(optarg) > sizeof(addr.sun_path) - 1) { + fprintf(stderr, "Socket name too long\n"); + return EXIT_FAILURE; + } control_server(optarg); break; case 'p': |