diff options
| author | John Baldwin <jhb@FreeBSD.org> | 2005-11-11 19:57:41 +0000 |
|---|---|---|
| committer | John Baldwin <jhb@FreeBSD.org> | 2005-11-11 19:57:41 +0000 |
| commit | 4d5fe96d68d5003e2682037c3d72bda61bc8d433 (patch) | |
| tree | ababdd4405f19282da0739f7940277e9ea39eb19 | |
| parent | d9276f685b044ac4227c062de352d9741a17760e (diff) | |
| download | src-4d5fe96d68d5003e2682037c3d72bda61bc8d433.tar.gz src-4d5fe96d68d5003e2682037c3d72bda61bc8d433.zip | |
Fix a bug in dlinfo(RTLD_DI_SERINFOSIZE) requests. For each search path
we included the length of the path in the returned size but not the length
of the associated Dl_serpath structure. Without this fix, programs
attempting to allocate a structure to hold the search path information
would allocate too small of a buffer and rtld would overrun the buffer
while filling it via a subsequent RTLD_DI_SERINFO request.
Submitted by: "William K. Josephson" wkj at morphisms dot net
Reviewed by: jdp
MFC after: 2 weeks
Notes
Notes:
svn path=/head/; revision=152320
| -rw-r--r-- | libexec/rtld-elf/rtld.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/libexec/rtld-elf/rtld.c b/libexec/rtld-elf/rtld.c index 1db0227310d2..244b5db9b372 100644 --- a/libexec/rtld-elf/rtld.c +++ b/libexec/rtld-elf/rtld.c @@ -1968,7 +1968,7 @@ fill_search_info(const char *dir, size_t dirlen, void *param) if (arg->request == RTLD_DI_SERINFOSIZE) { arg->serinfo->dls_cnt ++; - arg->serinfo->dls_size += dirlen + 1; + arg->serinfo->dls_size += sizeof(Dl_serpath) + dirlen + 1; } else { struct dl_serpath *s_entry; |