Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 153685 - initlog may read past end of buffer
Summary: initlog may read past end of buffer
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: initscripts
Version: 3
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Bill Nottingham
QA Contact: Brock Organ
URL:
Whiteboard:
Depends On:
Blocks: 143575 145411
TreeView+ depends on / blocked
 
Reported: 2005-04-04 23:28 UTC by Seth Robertson
Modified: 2014-03-17 02:53 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-04-05 18:17:40 UTC


Attachments (Terms of Use)
Patch to resolve problem (deleted)
2005-04-04 23:29 UTC, Seth Robertson
no flags Details | Diff

Description Seth Robertson 2005-04-04 23:28:31 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050328 Firefox/1.0.2

Description of problem:
You allocate 8k, read 8k, and then in getline read bytes without
bounding the size of data.  If you actually did read 8k, then you can
read over the end of the array.


Version-Release number of selected component (if applicable):
initscripts-7.93.5-1 and CVS HEAD

How reproducible:
Always

Steps to Reproduce:
1. valgrind --tool=memcheck ./initlog -q -c "yes a very very very very very long even large string which will be printed very often"

2.
3.
  

Actual Results:  ==30387== Invalid read of size 1
==30387==    at 0x1B904747: memcpy (mac_replace_strmem.c:300)
==30387==    by 0x804971E: getLine (initlog.c:139)
==30387==    by 0x804ADB9: monitor (process.c:211)
==30387==    by 0x804B2F7: runCommand (process.c:315)
==30387==  Address 0x1BC7C6A8 is 0 bytes after a block of size 8192 alloc'd
==30387==    at 0x1B90540D: calloc (vg_replace_malloc.c:176)
==30387==    by 0x804AC52: monitor (process.c:191)
==30387==    by 0x804B2F7: runCommand (process.c:315)
==30387==    by 0x804A5B4: processArgs (initlog.c:426)


Additional info:

Patch in a few moments (stupid bugzilla)

Comment 1 Seth Robertson 2005-04-04 23:29:24 UTC
Created attachment 112693 [details]
Patch to resolve problem

Comment 2 Bill Nottingham 2005-04-05 18:17:40 UTC
You shouldn't look at that code, it's bad for you. :)

Added in CVS, thanks.


Note You need to log in before you can comment on or make changes to this bug.