This is the mail archive of the libc-hacker@sources.redhat.com mailing list for the glibc project.
Note that libc-hacker is a closed list. You may look at the archives of this list, but subscription and posting are not open.
| Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
|---|---|---|
| Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |
Hi! If rpath element does not contain trailing slash, fillin_rpath can stomp on memory. That's because it has added the trailing slash and cp + len can either point after the end of allocated area of the rpath string, or at the first character of the next rpath element. So we can terminate it with non-NUL character or if we're out of luck segfault (efence helps here greatly). Either this can solve it, or we could just allocate only len characters for dirname and don't put the '\0' there at all (I think dirname is used in dl-load only always as memory area of dirnamelen bytes). Both variants attached, pick whichever you like more. Jakub
2000-12-08 Jakub Jelinek <jakub@redhat.com>
* elf/dl-load.c (fillin_rpath): Don't assume there is '\0' at
cp + len. Compute where from dirname.
Reported by <jreiser@BitWagon.com>.
--- libc/elf/dl-load.c.jj Wed Dec 6 17:06:09 2000
+++ libc/elf/dl-load.c Fri Dec 8 16:16:58 2000
@@ -408,6 +408,7 @@ fillin_rpath (char *rpath, struct r_sear
size_t cnt;
enum r_dir_status init_val;
size_t where_len = where ? strlen (where) + 1 : 0;
+ char *dirname;
/* It's a new directory. Create an entry and add it. */
dirp = (struct r_search_path_elem *)
@@ -417,9 +418,11 @@ fillin_rpath (char *rpath, struct r_sear
_dl_signal_error (ENOMEM, NULL,
N_("cannot create cache for search path"));
- dirp->dirname = ((char *) dirp + sizeof (*dirp)
- + ncapstr * sizeof (enum r_dir_status));
- memcpy ((char *) dirp->dirname, cp, len + 1);
+ dirname = (char *) dirp + sizeof (*dirp)
+ + ncapstr * sizeof (enum r_dir_status);
+ memcpy (dirname, cp, len);
+ dirname[len] = '\0';
+ dirp->dirname = dirname;
dirp->dirnamelen = len;
if (len > max_dirnamelen)
@@ -465,9 +468,7 @@ fillin_rpath (char *rpath, struct r_sear
dirp->what = what;
if (__builtin_expect (where != NULL, 1))
- dirp->where = memcpy ((char *) dirp + sizeof (*dirp) + len + 1
- + ncapstr * sizeof (enum r_dir_status),
- where, where_len);
+ dirp->where = memcpy (dirname + len + 1, where, where_len);
else
dirp->where = NULL;
2000-12-08 Jakub Jelinek <jakub@redhat.com>
* elf/dl-load.c (fillin_rpath): Don't assume there is '\0' at
cp + len. Compute where from dirname.
Reported by <jreiser@BitWagon.com>.
--- libc/elf/dl-load.c.jj Wed Dec 6 17:06:09 2000
+++ libc/elf/dl-load.c Fri Dec 8 16:35:41 2000
@@ -412,14 +412,14 @@ fillin_rpath (char *rpath, struct r_sear
/* It's a new directory. Create an entry and add it. */
dirp = (struct r_search_path_elem *)
malloc (sizeof (*dirp) + ncapstr * sizeof (enum r_dir_status)
- + where_len + len + 1);
+ + where_len + len);
if (dirp == NULL)
_dl_signal_error (ENOMEM, NULL,
N_("cannot create cache for search path"));
- dirp->dirname = ((char *) dirp + sizeof (*dirp)
- + ncapstr * sizeof (enum r_dir_status));
- memcpy ((char *) dirp->dirname, cp, len + 1);
+ dirp->dirname = (char *) dirp + sizeof (*dirp)
+ + ncapstr * sizeof (enum r_dir_status);
+ memcpy ((char *) dirp->dirname, cp, len);
dirp->dirnamelen = len;
if (len > max_dirnamelen)
@@ -465,8 +465,7 @@ fillin_rpath (char *rpath, struct r_sear
dirp->what = what;
if (__builtin_expect (where != NULL, 1))
- dirp->where = memcpy ((char *) dirp + sizeof (*dirp) + len + 1
- + ncapstr * sizeof (enum r_dir_status),
+ dirp->where = memcpy ((char *) dirp->dirname + len,
where, where_len);
else
dirp->where = NULL;
| Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
|---|---|---|
| Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |