[06/14] gdbserver: fix read buffer overflow

Message ID	20220314041735.542867-8-npiggin@gmail.com
State	New
Headers	show Return-Path: <pdbg-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org> From: Nicholas Piggin <npiggin@gmail.com> To: pdbg@lists.ozlabs.org Date: Mon, 14 Mar 2022 14:17:27 +1000 Message-Id: <20220314041735.542867-8-npiggin@gmail.com> In-Reply-To: <20220314041735.542867-1-npiggin@gmail.com> References: <20220314041735.542867-1-npiggin@gmail.com> MIME-Version: 1.0 Subject: [Pdbg] [PATCH 06/14] gdbserver: fix read buffer overflow Precedence: list Cc: Nicholas Piggin <npiggin@gmail.com> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pdbg-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Pdbg" <pdbg-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>
Series	gdbserver fixes and POWER10 support \| expand [00/14] gdbserver fixes and POWER10 support [01/14] gdbserver: update gdb_parser_precompile.c, rename detach command [02/14] gdbserver: include <port> argument in command line help text [03/14] gdbserver: print some client/server info [04/14] gdbserver: Make command static [05/14] gdbclient: use standard compatibility test calls [06/14] gdbserver: fix read buffer overflow [07/14] gdbserver: fix interrupt double response [08/14] libpdbg: thread_regs don't print regs [09/14] gdbserver: lexer fixes [10/14] gdbserver: implement NoAckMode [11/14] libpdbg: Remove enable_attn target command [12/14] gdbserver: disable attn after breaking [13/14] gdbserver: use read-modify-write for put_mem that is not 8-byte aligned [14/14] gdbserver: Add POWER10 support

Message ID

20220314041735.542867-8-npiggin@gmail.com

State

New

Headers

From: Nicholas Piggin <npiggin@gmail.com>
To: pdbg@lists.ozlabs.org
Date: Mon, 14 Mar 2022 14:17:27 +1000
Message-Id: <20220314041735.542867-8-npiggin@gmail.com>
In-Reply-To: <20220314041735.542867-1-npiggin@gmail.com>
References: <20220314041735.542867-1-npiggin@gmail.com>
MIME-Version: 1.0
Subject: [Pdbg] [PATCH 06/14] gdbserver: fix read buffer overflow
Precedence: list
Cc: Nicholas Piggin <npiggin@gmail.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: pdbg-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org
Sender: "Pdbg" <pdbg-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>

Series

gdbserver fixes and POWER10 support | expand

Comments

Joel Stanley March 15, 2022, 11:13 p.m. UTC | #1

On Mon, 14 Mar 2022 at 04:18, Nicholas Piggin <npiggin@gmail.com> wrote:
>
> buffer gets NUL terminated so read must return max of size-1.
>
> Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
> ---
>  src/pdbgproxy.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/src/pdbgproxy.c b/src/pdbgproxy.c
> index 906ed2f..78b1236 100644
> --- a/src/pdbgproxy.c
> +++ b/src/pdbgproxy.c
> @@ -388,7 +388,7 @@ static int read_from_client(int fd)
>         char buffer[BUFFER_SIZE + 1];

I assume the intent of BUFFER_SIZE+1 was to allow for the null, which
would work if we read BUFFER_SIZE. But I think sizeof(buffer) - 1 is
safer. You could get rid of the +1 perhaps?

Reviewed-by: Joel Stanley <joel@jms.id.au>


>         int nbytes;
>
> -       nbytes = read(fd, buffer, sizeof(buffer));
> +       nbytes = read(fd, buffer, sizeof(buffer) - 1);
>         if (nbytes < 0) {
>                 perror(__FUNCTION__);
>                 return -1;
> --
> 2.23.0
>
> --
> Pdbg mailing list
> Pdbg@lists.ozlabs.org
> https://lists.ozlabs.org/listinfo/pdbg

Nicholas Piggin March 29, 2022, 8:52 a.m. UTC | #2

Excerpts from Joel Stanley's message of March 16, 2022 9:13 am:
> On Mon, 14 Mar 2022 at 04:18, Nicholas Piggin <npiggin@gmail.com> wrote:
>>
>> buffer gets NUL terminated so read must return max of size-1.
>>
>> Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
>> ---
>>  src/pdbgproxy.c | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/src/pdbgproxy.c b/src/pdbgproxy.c
>> index 906ed2f..78b1236 100644
>> --- a/src/pdbgproxy.c
>> +++ b/src/pdbgproxy.c
>> @@ -388,7 +388,7 @@ static int read_from_client(int fd)
>>         char buffer[BUFFER_SIZE + 1];
> 
> I assume the intent of BUFFER_SIZE+1 was to allow for the null, which
> would work if we read BUFFER_SIZE. But I think sizeof(buffer) - 1 is
> safer. You could get rid of the +1 perhaps?

Yeah that more logically consistent. I'll change.

> 
> Reviewed-by: Joel Stanley <joel@jms.id.au>
> 
> 
>>         int nbytes;
>>
>> -       nbytes = read(fd, buffer, sizeof(buffer));
>> +       nbytes = read(fd, buffer, sizeof(buffer) - 1);
>>         if (nbytes < 0) {
>>                 perror(__FUNCTION__);
>>                 return -1;
>> --
>> 2.23.0
>>
>> --
>> Pdbg mailing list
>> Pdbg@lists.ozlabs.org
>> https://lists.ozlabs.org/listinfo/pdbg
>

diff --git a/src/pdbgproxy.c b/src/pdbgproxy.c
index 906ed2f..78b1236 100644
--- a/src/pdbgproxy.c
+++ b/src/pdbgproxy.c
@@ -388,7 +388,7 @@  static int read_from_client(int fd)
 	char buffer[BUFFER_SIZE + 1];
 	int nbytes;
 
-	nbytes = read(fd, buffer, sizeof(buffer));
+	nbytes = read(fd, buffer, sizeof(buffer) - 1);
 	if (nbytes < 0) {
 		perror(__FUNCTION__);
 		return -1;

[06/14] gdbserver: fix read buffer overflow

Commit Message

Comments

Patch