From: Qualys Security Advisory <qsa@qualys.com>
Date: Thu, 1 Jan 1970 00:00:00 +0000 (+0000)
Subject: proc/readproc.c: Harden stat2proc().
X-Git-Tag: v3.3.15~70
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=344f6d3c0e0b2ff923089b5318f3a69c3d5b7f46;p=procps-ng

proc/readproc.c: Harden stat2proc().

1/ Use a "size_t num" instead of an "unsigned num" (also, do not store
the return value of sscanf() into num, it was unused anyway).

2/ Check the return value of strchr() and strrchr().

3/ Never jump over the terminating null byte with "S = tmp + 2".
---

diff --git a/proc/readproc.c b/proc/readproc.c
index ca1ebb03..bda8d86b 100644
--- a/proc/readproc.c
+++ b/proc/readproc.c
@@ -582,7 +582,7 @@ static void sd2proc(proc_t *restrict p) {
 // Reads /proc/*/stat files, being careful not to trip over processes with
 // names like ":-) 1 2 3 4 5 6".
 static void stat2proc(const char* S, proc_t *restrict P) {
-    unsigned num;
+    size_t num;
     char* tmp;
 
 ENTER(0x160);
@@ -593,15 +593,19 @@ ENTER(0x160);
     P->sched = -1;
     P->nlwp = 0;
 
-    S = strchr(S, '(') + 1;
+    S = strchr(S, '(');
+    if(unlikely(!S)) return;
+    S++;
     tmp = strrchr(S, ')');
+    if(unlikely(!tmp)) return;
+    if(unlikely(!tmp[1])) return;
     num = tmp - S;
     if(unlikely(num >= sizeof P->cmd)) num = sizeof P->cmd - 1;
     memcpy(P->cmd, S, num);
     P->cmd[num] = '\0';
     S = tmp + 2;                 // skip ") "
 
-    num = sscanf(S,
+    sscanf(S,
        "%c "
        "%d %d %d %d %d "
        "%lu %lu %lu %lu %lu "