diff options
| author | jvoisin | 2024-10-10 15:50:40 +0200 |
|---|---|---|
| committer | jvoisin | 2024-10-10 15:50:40 +0200 |
| commit | e2cfd2879a15db00dfa9a42eeb1baaef6a930aff (patch) | |
| tree | 45c61bbdde9a510ba7125e00399781a98dc39cc5 /tests/test_strncpy_overwrite_over.c | |
| parent | c3b48c6b0bf501802295c85b1cf54275d6b74883 (diff) | |
Fix a crash in strncpy/stpncpystrn
```
Core was generated by `scripts/mod/modpost -M -m -o Module.symvers -n -T modules.order vmlinux.o'.
Program terminated with signal SIGSEGV, Segmentation fault.
warning: 17 src/string/strlen.c: No such file or directory
(gdb) bt
```
> I think strncpy logic is broken: `__fh_size_t max_len_s = strlen(__s);` may try read past `size_t __n`.
> Create a buf without any trailing `\0`, do `strncpy(dest, buf, sizeof(buf));`, it should work, since `strncpy` will stop at `sizeof buf`
> but the current fority-headers implementation will do `strlen(buf)`, which will go boom when it is not terminated with \0
Reported-by: ncopa
Diffstat (limited to 'tests/test_strncpy_overwrite_over.c')
| -rw-r--r-- | tests/test_strncpy_overwrite_over.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/tests/test_strncpy_overwrite_over.c b/tests/test_strncpy_overwrite_over.c index d99d270..90897b6 100644 --- a/tests/test_strncpy_overwrite_over.c +++ b/tests/test_strncpy_overwrite_over.c | |||
| @@ -13,9 +13,11 @@ int main(int argc, char** argv) { | |||
| 13 | puts(buffer); | 13 | puts(buffer); |
| 14 | 14 | ||
| 15 | char buffer2[9] = {'A', 'A', 'A', 'A', 'B', 'B', 'B', 'B', '\0'}; | 15 | char buffer2[9] = {'A', 'A', 'A', 'A', 'B', 'B', 'B', 'B', '\0'}; |
| 16 | #if 0 | ||
| 16 | CHK_FAIL_START | 17 | CHK_FAIL_START |
| 17 | strncpy(buffer2+1, buffer2, 5); | 18 | strncpy(buffer2+1, buffer2, 5); |
| 18 | CHK_FAIL_END | 19 | CHK_FAIL_END |
| 20 | #endif | ||
| 19 | 21 | ||
| 20 | puts(buffer2); | 22 | puts(buffer2); |
| 21 | return ret; | 23 | return ret; |