diff options
author | Conrad Meyer <cem@FreeBSD.org> | 2016-05-11 15:31:31 +0000 |
---|---|---|
committer | Conrad Meyer <cem@FreeBSD.org> | 2016-05-11 15:31:31 +0000 |
commit | 6a4b635383b55cd19ba76f775d3821070061bd96 (patch) | |
tree | bac7f66785d7ff37beedc6810468083ed738c80c /usr.bin/gcore | |
parent | 7ca01e8f89769f769fbe333a7ded0efdd765d95c (diff) | |
download | src-6a4b635383b55cd19ba76f775d3821070061bd96.tar.gz src-6a4b635383b55cd19ba76f775d3821070061bd96.zip |
Fix buffer overrun in gcore(1) NT_PRPSINFO
Use size of destination buffer, rather than a constant that may or may not
correspond to the source buffer, to restrict the length of copied strings. In
particular, pr_fname has 16+1 characters but MAXCOMLEN is 18+1.
Use strlcpy instead of strncpy to ensure the result is nul-terminated. This
seems to be what is expected of these fields.
Reported by: Coverity
CIDs: 1011302, 1011378
Sponsored by: EMC / Isilon Storage Division
Notes
Notes:
svn path=/head/; revision=299458
Diffstat (limited to 'usr.bin/gcore')
-rw-r--r-- | usr.bin/gcore/elfcore.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/usr.bin/gcore/elfcore.c b/usr.bin/gcore/elfcore.c index 2d1acb8252a6..c96e3ae81232 100644 --- a/usr.bin/gcore/elfcore.c +++ b/usr.bin/gcore/elfcore.c @@ -560,8 +560,8 @@ elf_note_prpsinfo(void *arg, size_t *sizep) err(1, "kern.proc.pid.%u", pid); if (kip.ki_pid != pid) err(1, "kern.proc.pid.%u", pid); - strncpy(psinfo->pr_fname, kip.ki_comm, MAXCOMLEN); - strncpy(psinfo->pr_psargs, psinfo->pr_fname, PRARGSZ); + strlcpy(psinfo->pr_fname, kip.ki_comm, sizeof(psinfo->pr_fname)); + strlcpy(psinfo->pr_psargs, psinfo->pr_fname, sizeof(psinfo->pr_psargs)); *sizep = sizeof(*psinfo); return (psinfo); |