diff options
| author | jvoisin | 2024-10-10 15:50:40 +0200 |
|---|---|---|
| committer | jvoisin | 2024-10-10 15:50:40 +0200 |
| commit | e2cfd2879a15db00dfa9a42eeb1baaef6a930aff (patch) | |
| tree | 45c61bbdde9a510ba7125e00399781a98dc39cc5 /tests/test_stpncpy_overwrite_over.c | |
| parent | c3b48c6b0bf501802295c85b1cf54275d6b74883 (diff) | |
Fix a crash in strncpy/stpncpystrn
```
Core was generated by `scripts/mod/modpost -M -m -o Module.symvers -n -T modules.order vmlinux.o'.
Program terminated with signal SIGSEGV, Segmentation fault.
warning: 17 src/string/strlen.c: No such file or directory
(gdb) bt
```
> I think strncpy logic is broken: `__fh_size_t max_len_s = strlen(__s);` may try read past `size_t __n`.
> Create a buf without any trailing `\0`, do `strncpy(dest, buf, sizeof(buf));`, it should work, since `strncpy` will stop at `sizeof buf`
> but the current fority-headers implementation will do `strlen(buf)`, which will go boom when it is not terminated with \0
Reported-by: ncopa
Diffstat (limited to 'tests/test_stpncpy_overwrite_over.c')
| -rw-r--r-- | tests/test_stpncpy_overwrite_over.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/tests/test_stpncpy_overwrite_over.c b/tests/test_stpncpy_overwrite_over.c index 21c88ce..c6c5307 100644 --- a/tests/test_stpncpy_overwrite_over.c +++ b/tests/test_stpncpy_overwrite_over.c | |||
| @@ -9,9 +9,11 @@ int main(int argc, char** argv) { | |||
| 9 | stpncpy(buffer, buffer+5, 2); | 9 | stpncpy(buffer, buffer+5, 2); |
| 10 | puts(buffer); | 10 | puts(buffer); |
| 11 | 11 | ||
| 12 | #if 0 | ||
| 12 | CHK_FAIL_START | 13 | CHK_FAIL_START |
| 13 | stpncpy(buffer+1, buffer, 5); | 14 | stpncpy(buffer+1, buffer, 5); |
| 14 | CHK_FAIL_END | 15 | CHK_FAIL_END |
| 16 | #endif | ||
| 15 | 17 | ||
| 16 | puts(buffer); | 18 | puts(buffer); |
| 17 | return ret; | 19 | return ret; |