Fix stack buffer overflow when specified command is too long

* strace.c (startup_child): Check that the length of the command strace
is going to execute does not exceed PATH_MAX limit.

Reported-by: Cheolung Lee <chpie@grayhash.com>

diff --git a/strace.c b/strace.c
index fccf4ad84b31f15cdd4415502a72efeab7fa7ad0..b714255f41e1b6aeb9af95c4533520932e04d65b 100644 (file)
--- a/strace.c
+++ b/strace.c
@@ -1157,16 +1157,19 @@ startup_child(char **argv)
 {
        struct_stat statbuf;
        const char *filename;
+       size_t filename_len;
        char pathname[PATH_MAX];
        int pid;
        struct tcb *tcp;
 
        filename = argv[0];
+       filename_len = strlen(filename);
+
+       if (filename_len > sizeof(pathname) - 1) {
+               errno = ENAMETOOLONG;
+               perror_msg_and_die("exec");
+       }
        if (strchr(filename, '/')) {
-               if (strlen(filename) > sizeof pathname - 1) {
-                       errno = ENAMETOOLONG;
-                       perror_msg_and_die("exec");
-               }
                strcpy(pathname, filename);
        }
 #ifdef USE_DEBUGGING_EXEC
@@ -1203,6 +1206,8 @@ startup_child(char **argv)
                        }
                        if (len && pathname[len - 1] != '/')
                                pathname[len++] = '/';
+                       if (filename_len + len > sizeof(pathname) - 1)
+                               continue;
                        strcpy(pathname + len, filename);
                        if (stat_file(pathname, &statbuf) == 0 &&
                            /* Accept only regular files
@@ -1212,6 +1217,8 @@ startup_child(char **argv)
                            (statbuf.st_mode & 0111))
                                break;
                }
+               if (!path || !*path)
+                       pathname[0] = '\0';
        }
        if (stat_file(pathname, &statbuf) < 0) {
                perror_msg_and_die("Can't stat '%s'", filename);