Buffer overflow in multiline-mode

Q&A's, tips, howto's
Locked
kosh
Posts: 72
Joined: Sun Sep 13, 2009 5:38 am
Location: Japan
Contact:
Contact kosh

Buffer overflow in multiline-mode

Post by kosh »

Code: Select all

$ ./newlisp
newLISP v.10.3.0 on Linux IPv4/6 UTF-8, execute 'newlisp -h' for more info.

>
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ... (Large strings MAX_COMMAND_LINE or more)
*** buffer overflow detected ***: ./newlisp terminated
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x50)[0x1f2390]
/lib/tls/i686/cmov/libc.so.6(+0xe12ca)[0x1f12ca]
./newlisp[0x8055870]
./newlisp[0x8055f52]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe6)[0x126bd6]
./newlisp[0x804a921]
======= Memory map: ========
...
Patch is below:

Code: Select all

$ diff -u newlisp_orig.c newlisp.c 
--- newlisp_orig.c	2011-02-25 09:48:10.000000000 +0900
+++ newlisp.c	2011-02-25 09:48:47.000000000 +0900
@@ -1059,12 +1059,15 @@
 	openStrStream(cmdStream, 1024, TRUE);
 	for(;;)
 		{
+                memset(buff, '\0', MAX_COMMAND_LINE); /* initialize buffer */
 		if(isTTY) 
 			{
 			cmd = getCommandLine(TRUE);
-			strncpy(buff, cmd, MAX_COMMAND_LINE -1);
 #ifdef READLINE
+			strncpy(buff, cmd, MAX_COMMAND_LINE -2);
 			strlcat(buff, "\n", 1);
+#else
+                        strncpy(buff, cmd, MAX_COMMAND_LINE -1);
 #endif
 			free(cmd);
 			}
Top
Lutz
Posts: 5289
Joined: Thu Sep 26, 2002 4:45 pm
Location: Pasadena, California
Contact:
Contact Lutz

Re: Buffer overflow in multiline-mode

Post by Lutz »

Thanks Kosh, the merged change can be found here:
http://www.newlisp.org/downloads/develo ... nprogress/
Top
Locked

Return to “newLISP in the real world”