Skip to content

Comments

Fix stack overflow in: inotifytools_replace_filename#104

Merged
ericcurtin merged 1 commit intoinotify-tools:masterfrom
jankratochvil:stack
Jan 27, 2020
Merged

Fix stack overflow in: inotifytools_replace_filename#104
ericcurtin merged 1 commit intoinotify-tools:masterfrom
jankratochvil:stack

Conversation

@jankratochvil
Copy link
Contributor

/var/cache/dnf/fedora-modular-42f5060c2cfa4ffa/ MOVED_TO,ISDIR repodata
*** stack smashing detected ***: <unknown> terminated
% #0  0x0000ffffa6d08c90 in raise () from /usr/lib64/libc.so.6
% #1  0x0000ffffa6cf6aa8 in abort () from /usr/lib64/libc.so.6
% #2  0x0000ffffa6d42acc in __libc_message () from /usr/lib64/libc.so.6
% #3  0x0000ffffa6db4f54 in __fortify_fail_abort () from /usr/lib64/libc.so.6
% #4  0x0000ffffa6db4f08 in __stack_chk_fail () from /usr/lib64/libc.so.6
% #5  0x0000ffffa6e4f958 in inotifytools_replace_filename (oldname=<optimized out>, newname=<optimized out>) at inotifytools.c:866
% #6  0x0000aaaab1b5de98 in main (argc=<optimized out>, argv=<optimized out>) at inotifywait.c:389

A simple fix would be:

	char *names[2+(sizeof(int)+sizeof(char*)-1)/sizeof(char*)];

A similar fix is in:

	inotify-tools_3.14-8.debian/debian/patches/0006-Fix-buffer-overrun-in-inotifytools.c.patch

I find the attached struct for callback data as a more clean and standard
solution.

```
/var/cache/dnf/fedora-modular-42f5060c2cfa4ffa/ MOVED_TO,ISDIR repodata
*** stack smashing detected ***: <unknown> terminated
% #0  0x0000ffffa6d08c90 in raise () from /usr/lib64/libc.so.6
% inotify-tools#1  0x0000ffffa6cf6aa8 in abort () from /usr/lib64/libc.so.6
% inotify-tools#2  0x0000ffffa6d42acc in __libc_message () from /usr/lib64/libc.so.6
% inotify-tools#3  0x0000ffffa6db4f54 in __fortify_fail_abort () from /usr/lib64/libc.so.6
% inotify-tools#4  0x0000ffffa6db4f08 in __stack_chk_fail () from /usr/lib64/libc.so.6
% inotify-tools#5  0x0000ffffa6e4f958 in inotifytools_replace_filename (oldname=<optimized out>, newname=<optimized out>) at inotifytools.c:866
% inotify-tools#6  0x0000aaaab1b5de98 in main (argc=<optimized out>, argv=<optimized out>) at inotifywait.c:389
```

A simple fix would be:
```
	char *names[2+(sizeof(int)+sizeof(char*)-1)/sizeof(char*)];
```

A similar fix is in:
```
	inotify-tools_3.14-8.debian/debian/patches/0006-Fix-buffer-overrun-in-inotifytools.c.patch
```

I find the attached struct for callback data as a more clean and standard
solution.
Copy link
Member

@ericcurtin ericcurtin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work, much more typesafe!

@ericcurtin ericcurtin merged commit ec484ca into inotify-tools:master Jan 27, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants