diff mbox series

[06/14] gdbserver: fix read buffer overflow

Message ID 20220314041735.542867-8-npiggin@gmail.com
State New
Headers show
Series gdbserver fixes and POWER10 support | expand

Commit Message

Nicholas Piggin March 14, 2022, 4:17 a.m. UTC
buffer gets NUL terminated so read must return max of size-1.

Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
---
 src/pdbgproxy.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Joel Stanley March 15, 2022, 11:13 p.m. UTC | #1
On Mon, 14 Mar 2022 at 04:18, Nicholas Piggin <npiggin@gmail.com> wrote:
>
> buffer gets NUL terminated so read must return max of size-1.
>
> Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
> ---
>  src/pdbgproxy.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/src/pdbgproxy.c b/src/pdbgproxy.c
> index 906ed2f..78b1236 100644
> --- a/src/pdbgproxy.c
> +++ b/src/pdbgproxy.c
> @@ -388,7 +388,7 @@ static int read_from_client(int fd)
>         char buffer[BUFFER_SIZE + 1];

I assume the intent of BUFFER_SIZE+1 was to allow for the null, which
would work if we read BUFFER_SIZE. But I think sizeof(buffer) - 1 is
safer. You could get rid of the +1 perhaps?

Reviewed-by: Joel Stanley <joel@jms.id.au>


>         int nbytes;
>
> -       nbytes = read(fd, buffer, sizeof(buffer));
> +       nbytes = read(fd, buffer, sizeof(buffer) - 1);
>         if (nbytes < 0) {
>                 perror(__FUNCTION__);
>                 return -1;
> --
> 2.23.0
>
> --
> Pdbg mailing list
> Pdbg@lists.ozlabs.org
> https://lists.ozlabs.org/listinfo/pdbg
Nicholas Piggin March 29, 2022, 8:52 a.m. UTC | #2
Excerpts from Joel Stanley's message of March 16, 2022 9:13 am:
> On Mon, 14 Mar 2022 at 04:18, Nicholas Piggin <npiggin@gmail.com> wrote:
>>
>> buffer gets NUL terminated so read must return max of size-1.
>>
>> Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
>> ---
>>  src/pdbgproxy.c | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/src/pdbgproxy.c b/src/pdbgproxy.c
>> index 906ed2f..78b1236 100644
>> --- a/src/pdbgproxy.c
>> +++ b/src/pdbgproxy.c
>> @@ -388,7 +388,7 @@ static int read_from_client(int fd)
>>         char buffer[BUFFER_SIZE + 1];
> 
> I assume the intent of BUFFER_SIZE+1 was to allow for the null, which
> would work if we read BUFFER_SIZE. But I think sizeof(buffer) - 1 is
> safer. You could get rid of the +1 perhaps?

Yeah that more logically consistent. I'll change.

> 
> Reviewed-by: Joel Stanley <joel@jms.id.au>
> 
> 
>>         int nbytes;
>>
>> -       nbytes = read(fd, buffer, sizeof(buffer));
>> +       nbytes = read(fd, buffer, sizeof(buffer) - 1);
>>         if (nbytes < 0) {
>>                 perror(__FUNCTION__);
>>                 return -1;
>> --
>> 2.23.0
>>
>> --
>> Pdbg mailing list
>> Pdbg@lists.ozlabs.org
>> https://lists.ozlabs.org/listinfo/pdbg
>
diff mbox series

Patch

diff --git a/src/pdbgproxy.c b/src/pdbgproxy.c
index 906ed2f..78b1236 100644
--- a/src/pdbgproxy.c
+++ b/src/pdbgproxy.c
@@ -388,7 +388,7 @@  static int read_from_client(int fd)
 	char buffer[BUFFER_SIZE + 1];
 	int nbytes;
 
-	nbytes = read(fd, buffer, sizeof(buffer));
+	nbytes = read(fd, buffer, sizeof(buffer) - 1);
 	if (nbytes < 0) {
 		perror(__FUNCTION__);
 		return -1;