[5183] in Moira
mrtest: qy segfaults when given too many arguments [patch]
daemon@ATHENA.MIT.EDU (Anders Kaseorg)
Fri Aug 24 20:06:27 2007
From: Anders Kaseorg <andersk@MIT.EDU>
To: bug-moira@mit.edu
Cc: debathena@mit.edu
Content-Type: multipart/mixed; boundary="=-H/POyzCUGfZIgci7u8Wu"
Date: Fri, 24 Aug 2007 20:05:34 -0400
Message-Id: <1188000334.8330.20.camel@balanced-tree.mit.edu>
Mime-Version: 1.0
--=-H/POyzCUGfZIgci7u8Wu
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
andersk@mint-square:~$ athrun moira mrtest
moira: c
moira: qy x x x x x x x x x x x x x x x x x x x x x x x x x x x x x
Segmentation Fault
Attached is a patch to fix this (and display "moira: Too many command
line arguments" instead).
Anders
SIPB Debian-Athena team
--=-H/POyzCUGfZIgci7u8Wu
Content-Disposition: attachment; filename=moira-mrtest-buffer-overflow.patch
Content-Type: text/x-patch; name=moira-mrtest-buffer-overflow.patch; charset=UTF-8
Content-Transfer-Encoding: 7bit
Index: debathena-moira-4.0.0+cvs20070129/clients/mrtest/mrtest.c
===================================================================
--- debathena-moira-4.0.0+cvs20070129.orig/clients/mrtest/mrtest.c 2007-08-24 19:24:21.000000000 -0400
+++ debathena-moira-4.0.0+cvs20070129/clients/mrtest/mrtest.c 2007-08-24 19:28:20.000000000 -0400
@@ -259,8 +259,14 @@
/* skip whitespace */
for (*p++ = '\0'; *p == ' ' || *p == '\t'; p++)
;
- if (*p && *p != '\n')
- argv[++argc] = p--;
+ if (*p && *p != '\n') {
+ if (++argc >= MAXARGS) {
+ fprintf(stderr,
+ "moira: Too many command line arguments\n");
+ return 0;
+ }
+ argv[argc] = p--;
+ }
}
}
if (*p == '\n')
--=-H/POyzCUGfZIgci7u8Wu--
