diff options
| author | Tobias Stoeckmann <tobias@stoeckmann.org> | 2019-02-07 20:54:37 +0100 |
|---|---|---|
| committer | Walter Harms <wharms@bfs.de> | 2019-02-09 18:26:57 +0100 |
| commit | b3dc751212e5f2f6b5d263e009cc2b85e56bfdbf (patch) | |
| tree | 6a3303f0eaf33011bf3abe9835ba85d88464bd89 | |
| parent | f727023c1a75dcc467dd99a3db69a5834a0718f0 (diff) | |
Buffer overflow with many arguments.
Command line arguments are copied into clientargv and serverargv without
verifying that enough space is available. A high amount of arguments can
therefore trigger a buffer overflow like this:
$ xinit $(seq 1 500)
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Reviewed-by: Walter Harms wharms@bfs,de
| -rw-r--r-- | xinit.c | 7 |
1 files changed, 4 insertions, 3 deletions
@@ -151,7 +151,6 @@ main(int argc, char *argv[]) register char **ptr; pid_t pid; int client_given = 0, server_given = 0; - int client_args_given = 0, server_args_given = 0; int start_of_client_args, start_of_server_args; struct sigaction sa, si; #ifdef __APPLE__ @@ -174,7 +173,8 @@ main(int argc, char *argv[]) } start_of_client_args = (cptr - client); while (argc && strcmp(*argv, "--")) { - client_args_given++; + if (cptr > clientargv + sizeof(clientargv) / sizeof(*clientargv) - 2) + Fatalx("too many client arguments"); *cptr++ = *argv++; argc--; } @@ -202,7 +202,8 @@ main(int argc, char *argv[]) start_of_server_args = (sptr - server); while (--argc >= 0) { - server_args_given++; + if (sptr > serverargv + sizeof(serverargv) / sizeof(*serverargv) - 2) + Fatalx("too many server arguments"); *sptr++ = *argv++; } *sptr = NULL; |