From: Qualys Security Advisory <qsa@qualys.com>
Date: Thu, 1 Jan 1970 00:00:00 +0000 (+0000)
Subject: ps/output.c: Always null-terminate outbuf in show_one_proc().
X-Git-Tag: v3.3.15~81
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=7dd7bdb09ffc5f53ad531ace227882d4a19a6f4a;p=procps-ng

ps/output.c: Always null-terminate outbuf in show_one_proc().

Before "strlen(outbuf)", if one of the pr_*() functions forgot to do it.
This prevents an out-of-bounds read in strlen(), and an out-of-bounds
write in "outbuf[sz] = '\n'". Another solution would be to replace
strlen() with strnlen(), but this is not used anywhere else in the
code-base and may not exist in all libc's.
---

diff --git a/ps/output.c b/ps/output.c
index a60c98e8..e718f198 100644
--- a/ps/output.c
+++ b/ps/output.c
@@ -2120,6 +2120,7 @@ void show_one_proc(const proc_t *restrict const p, const format_node *restrict f
     if(unlikely(space>SPACE_AMOUNT)) space=SPACE_AMOUNT;  // only so much available
 
     /* real size -- don't forget in 'amount' is number of cells */
+    outbuf[OUTBUF_SIZE-1] = '\0';
     sz = strlen(outbuf);
 
     /* print data, set x position stuff */