diff options
| author | Roland McGrath <roland@redhat.com> | 2005-06-01 19:22:06 +0000 |
|---|---|---|
| committer | Roland McGrath <roland@redhat.com> | 2005-06-01 19:22:06 +0000 |
| commit | aa524c88c49814863cb7f19e5c8a8eeca6ce22fe (patch) | |
| tree | a2990277e60e1f07e3ffee8e7d0fe0ff42944531 /mem.c | |
| parent | b422e0d47dd81daa7d7df359f1237c7aaea173cb (diff) | |
| download | strace-aa524c88c49814863cb7f19e5c8a8eeca6ce22fe.tar.gz strace-aa524c88c49814863cb7f19e5c8a8eeca6ce22fe.tar.bz2 strace-aa524c88c49814863cb7f19e5c8a8eeca6ce22fe.tar.xz | |
2005-05-31 Dmitry V. Levin <ldv@altlinux.org>
Deal with memory management issues.
* defs.h (tprint_iov): Update prototype.
* desc.c (sys_epoll_wait) [HAVE_SYS_EPOLL_H]: Do not allocate
epoll_event array of arbitrary size on the stack, to avoid
stack overflow.
* file.c (print_xattr_val): Check for integer overflow during
malloc size calculation, to avoid heap corruption.
* io.c (tprint_iov) [HAVE_SYS_UIO_H]: Check for integer overflow
during malloc size calculation, to avoid heap corruption.
Change iovec array handling to avoid heap memory allocation.
* mem.c (get_nodes) [LINUX]: Check for integer overflow during
size calculation and do not allocate array of arbitrary size on
the stack, to avoid stack overflow.
* net.c (printcmsghdr) [HAVE_SENDMSG]: Do not allocate array of
arbitrary size on the stack, to avoid stack overflow. Do not
trust cmsg.cmsg_len to avoid read beyond the end of allocated
object.
(printmsghdr) [HAVE_SENDMSG]: Update tprint_iov() usage.
* process.c (sys_setgroups): Check for integer overflow during
malloc size calculation, to avoid heap corruption. Change gid_t
array handling to avoid heap memory allocation.
(sys_getgroups): Likewise.
(sys_setgroups32) [LINUX]: Likewise.
(sys_getgroups32) [LINUX]: Likewise.
* stream.c (sys_poll) [HAVE_SYS_POLL_H]: Check for integer
overflow during malloc size calculation, to avoid heap corruption.
Change pollfd array handling to avoid heap memory allocation.
* system.c (sys_sysctl) [LINUX]: Check for integer overflow
during malloc size calculation, to avoid heap corruption.
* util.c (dumpiov) [HAVE_SYS_UIO_H]: Check for integer overflow
during malloc size calculation, to avoid heap corruption.
Fixes RH#159196.
Diffstat (limited to 'mem.c')
| -rw-r--r-- | mem.c | 51 |
1 files changed, 34 insertions, 17 deletions
@@ -692,26 +692,43 @@ unsigned long ptr; unsigned long maxnodes; int err; { - int nlongs = (maxnodes + 8 * sizeof(long) - 1) / (8 * sizeof(long)); - if (err || !abbrev(tcp) || nlongs > getpagesize() / sizeof(long) - || nlongs == 0) { - long buf[nlongs]; - if (umoven(tcp, ptr, nlongs * sizeof(long), - (char *) buf) < 0) - tprintf(", %lx", ptr); - else { - int i; - tprintf(", {"); - for (i = 0; i < nlongs; ++i) { - if (i > 0) - tprintf(", "); - tprintf("%#0*lx", (int) sizeof(long) * 2 + 2, - buf[i]); + unsigned long nlongs, size, end; + + nlongs = (maxnodes + 8 * sizeof(long) - 1) / (8 * sizeof(long)); + size = nlongs * sizeof(long); + end = ptr + size; + if (nlongs == 0 || ((err || verbose(tcp)) && (size * 8 == maxnodes) + && (end > ptr))) { + unsigned long n, cur, abbrev_end; + int failed = 0; + + if (abbrev(tcp)) { + abbrev_end = ptr + max_strlen * sizeof(long); + if (abbrev_end < ptr) + abbrev_end = end; + } else { + abbrev_end = end; + } + tprintf(", {"); + for (cur = ptr; cur < end; cur += sizeof(long)) { + if (cur > ptr) + tprintf(", "); + if (cur >= abbrev_end) { + tprintf("..."); + break; + } + if (umoven(tcp, cur, sizeof(n), (char *) &n) < 0) { + tprintf("?"); + failed = 1; + break; } - tprintf("}"); + tprintf("%#0*lx", (int) sizeof(long) * 2 + 2, n); } + tprintf("}"); + if (failed) + tprintf(" %#lx", ptr); } else - tprintf(", %lx", ptr); + tprintf(", %#lx", ptr); tprintf(", %lu", maxnodes); } |