summaryrefslogtreecommitdiff
path: root/usr.bin/ctfdump
diff options
context:
space:
mode:
authorMartin Pieuchot <mpi@cvs.openbsd.org>2017-10-27 09:22:21 +0000
committerMartin Pieuchot <mpi@cvs.openbsd.org>2017-10-27 09:22:21 +0000
commitebfa3910dd2bfeae0241dc204d646f4cff7be744 (patch)
treeca84348f7c43b24a63dd71033451831b6a91ec4c /usr.bin/ctfdump
parent1c286d5a68dd85ae9747542f8437e147eff0b466 (diff)
Prevent out-of-bound leading to an invalid pointer dereference when
dumping functions. Sync the logic with the kernel iterator for that. Issue found by jsg@ with afl(1).
Diffstat (limited to 'usr.bin/ctfdump')
-rw-r--r--usr.bin/ctfdump/ctfdump.c12
1 files changed, 8 insertions, 4 deletions
diff --git a/usr.bin/ctfdump/ctfdump.c b/usr.bin/ctfdump/ctfdump.c
index dafea943332..9b9a6981e57 100644
--- a/usr.bin/ctfdump/ctfdump.c
+++ b/usr.bin/ctfdump/ctfdump.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ctfdump.c,v 1.12 2017/10/27 08:33:46 mpi Exp $ */
+/* $OpenBSD: ctfdump.c,v 1.13 2017/10/27 09:22:20 mpi Exp $ */
/*
* Copyright (c) 2016 Martin Pieuchot <mpi@openbsd.org>
@@ -349,12 +349,16 @@ ctf_dump(const char *p, size_t size, uint8_t flags)
if (flags & DUMP_FUNCTION) {
uint16_t *fsp, kind, vlen;
+ uint16_t *fstart, *fend;
size_t idx = 0, i = -1;
const char *s;
int l;
- fsp = (uint16_t *)(data + cth->cth_funcoff);
- while (fsp < (uint16_t *)(data + cth->cth_typeoff)) {
+ fstart = (uint16_t *)(data + cth->cth_funcoff);
+ fend = (uint16_t *)(data + cth->cth_typeoff);
+
+ fsp = fstart;
+ while (fsp < fend) {
kind = CTF_INFO_KIND(*fsp);
vlen = CTF_INFO_VLEN(*fsp);
s = elf_idx2sym(&idx, STT_FUNC);
@@ -368,7 +372,7 @@ ctf_dump(const char *p, size_t size, uint8_t flags)
if (s != NULL)
printf("(%s)", s);
printf(" returns: %u args: (", *fsp++);
- while (vlen-- > 0)
+ while (vlen-- > 0 && fsp < fend)
printf("%u%s", *fsp++, (vlen > 0) ? ", " : "");
printf(")\n");
}