From b3dc751212e5f2f6b5d263e009cc2b85e56bfdbf Mon Sep 17 00:00:00 2001 From: Tobias Stoeckmann Date: Thu, 7 Feb 2019 20:54:37 +0100 Subject: Buffer overflow with many arguments. Command line arguments are copied into clientargv and serverargv without verifying that enough space is available. A high amount of arguments can therefore trigger a buffer overflow like this: $ xinit $(seq 1 500) Signed-off-by: Tobias Stoeckmann Reviewed-by: Walter Harms wharms@bfs,de --- xinit.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'xinit.c') diff --git a/xinit.c b/xinit.c index f826b7a..06c92b2 100644 --- a/xinit.c +++ b/xinit.c @@ -151,7 +151,6 @@ main(int argc, char *argv[]) register char **ptr; pid_t pid; int client_given = 0, server_given = 0; - int client_args_given = 0, server_args_given = 0; int start_of_client_args, start_of_server_args; struct sigaction sa, si; #ifdef __APPLE__ @@ -174,7 +173,8 @@ main(int argc, char *argv[]) } start_of_client_args = (cptr - client); while (argc && strcmp(*argv, "--")) { - client_args_given++; + if (cptr > clientargv + sizeof(clientargv) / sizeof(*clientargv) - 2) + Fatalx("too many client arguments"); *cptr++ = *argv++; argc--; } @@ -202,7 +202,8 @@ main(int argc, char *argv[]) start_of_server_args = (sptr - server); while (--argc >= 0) { - server_args_given++; + if (sptr > serverargv + sizeof(serverargv) / sizeof(*serverargv) - 2) + Fatalx("too many server arguments"); *sptr++ = *argv++; } *sptr = NULL; -- cgit v1.2.3