From: Dmitry V. Levin <ldv@altlinux.org>
Date: Sat, 28 Feb 2015 14:50:09 +0000 (+0000)
Subject: Fix stack buffer overflow when specified command is too long
X-Git-Tag: v4.10~44
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=1dbd39e85f567740dc00bae126741bdb9c2d777a;p=strace

Fix stack buffer overflow when specified command is too long

* strace.c (startup_child): Check that the length of the command strace
is going to execute does not exceed PATH_MAX limit.

Reported-by: Cheolung Lee <chpie@grayhash.com>
---

diff --git a/strace.c b/strace.c
index fccf4ad8..b714255f 100644
--- a/strace.c
+++ b/strace.c
@@ -1157,16 +1157,19 @@ startup_child(char **argv)
 {
 	struct_stat statbuf;
 	const char *filename;
+	size_t filename_len;
 	char pathname[PATH_MAX];
 	int pid;
 	struct tcb *tcp;
 
 	filename = argv[0];
+	filename_len = strlen(filename);
+
+	if (filename_len > sizeof(pathname) - 1) {
+		errno = ENAMETOOLONG;
+		perror_msg_and_die("exec");
+	}
 	if (strchr(filename, '/')) {
-		if (strlen(filename) > sizeof pathname - 1) {
-			errno = ENAMETOOLONG;
-			perror_msg_and_die("exec");
-		}
 		strcpy(pathname, filename);
 	}
 #ifdef USE_DEBUGGING_EXEC
@@ -1203,6 +1206,8 @@ startup_child(char **argv)
 			}
 			if (len && pathname[len - 1] != '/')
 				pathname[len++] = '/';
+			if (filename_len + len > sizeof(pathname) - 1)
+				continue;
 			strcpy(pathname + len, filename);
 			if (stat_file(pathname, &statbuf) == 0 &&
 			    /* Accept only regular files
@@ -1212,6 +1217,8 @@ startup_child(char **argv)
 			    (statbuf.st_mode & 0111))
 				break;
 		}
+		if (!path || !*path)
+			pathname[0] = '\0';
 	}
 	if (stat_file(pathname, &statbuf) < 0) {
 		perror_msg_and_die("Can't stat '%s'", filename);