From: Qualys Security Advisory Date: Thu, 1 Jan 1970 00:00:00 +0000 (+0000) Subject: 0061-ps/output.c: Always null-terminate outbuf in show_one_proc(). X-Git-Tag: v4.0.0~535 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=6f7d610621ec3841a73230270b0ddbfe0e3a5d16;p=procps-ng 0061-ps/output.c: Always null-terminate outbuf in show_one_proc(). Before "strlen(outbuf)", if one of the pr_*() functions forgot to do it. This prevents an out-of-bounds read in strlen(), and an out-of-bounds write in "outbuf[sz] = '\n'". Another solution would be to replace strlen() with strnlen(), but this is not used anywhere else in the code-base and may not exist in all libc's. ---------------------------- adapted for newlib branch . adapted via 'patch' without rejections Signed-off-by: Jim Warner --- diff --git a/ps/output.c b/ps/output.c index ba929486..07b1c0d5 100644 --- a/ps/output.c +++ b/ps/output.c @@ -2027,6 +2027,7 @@ void show_one_proc(const proc_t *restrict const p, const format_node *restrict f if(space>SPACE_AMOUNT) space=SPACE_AMOUNT; // only so much available /* real size -- don't forget in 'amount' is number of cells */ + outbuf[OUTBUF_SIZE-1] = '\0'; sz = strlen(outbuf); /* print data, set x position stuff */