diff options
author | Steve Dickson <steved@redhat.com> | 2018-10-09 09:19:50 -0400 |
---|---|---|
committer | Steve Dickson <steved@redhat.com> | 2018-10-09 09:19:50 -0400 |
commit | 0bc1c0ae7ce61a7ac8a8e9a9b2086268f011abf0 (patch) | |
tree | b78b198a474b6eb4a8f0e136ae71b54739341392 | |
parent | c0c89b3bf2bdf304a5fe3cab626334e0cdaf1ef2 (diff) | |
download | rpcbind-0bc1c0ae7ce61a7ac8a8e9a9b2086268f011abf0.tar.gz |
rpcinfo: Fix stack buffer overflow
*** buffer overflow detected ***: rpcinfo terminated
======= Backtrace: =========
/lib64/libc.so.6(+0x721af)[0x7ff24c4451af]
/lib64/libc.so.6(__fortify_fail+0x37)[0x7ff24c4ccdc7]
/lib64/libc.so.6(+0xf8050)[0x7ff24c4cb050]
rpcinfo(+0x435f)[0xef3be2635f]
rpcinfo(+0x1c62)[0xef3be23c62]
/lib64/libc.so.6(__libc_start_main+0xf5)[0x7ff24c3f36e5]
rpcinfo(+0x2739)[0xef3be24739]
======= Memory map: ========
...
The patch below fixes it.
Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Thomas Blume <thomas.blume@suse.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
-rw-r--r-- | src/rpcinfo.c | 23 |
1 files changed, 17 insertions, 6 deletions
diff --git a/src/rpcinfo.c b/src/rpcinfo.c index 9b46864..cfdba88 100644 --- a/src/rpcinfo.c +++ b/src/rpcinfo.c @@ -973,6 +973,7 @@ rpcbdump (dumptype, netid, argc, argv) (" program version(s) netid(s) service owner\n"); for (rs = rs_head; rs; rs = rs->next) { + size_t netidmax = sizeof(buf) - 1; char *p = buf; printf ("%10ld ", rs->prog); @@ -985,12 +986,22 @@ rpcbdump (dumptype, netid, argc, argv) } printf ("%-10s", buf); buf[0] = '\0'; - for (nl = rs->nlist; nl; nl = nl->next) - { - strcat (buf, nl->netid); - if (nl->next) - strcat (buf, ","); - } + + for (nl = rs->nlist; nl; nl = nl->next) + { + strncat (buf, nl->netid, netidmax); + if (strlen (nl->netid) < netidmax) + netidmax -= strlen(nl->netid); + else + break; + + if (nl->next && netidmax > 1) + { + strncat (buf, ",", netidmax); + netidmax --; + } + } + printf ("%-32s", buf); rpc = getrpcbynumber (rs->prog); if (rpc) |