From: Mike Frysinger <vapier@gentoo.org>
Date: Tue, 21 Oct 2014 12:34:08 +0000 (-0400)
Subject: sock: fix decoding of struct ifreq.ifr_name
X-Git-Tag: v4.10~380
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=8b5fbeea993f63d15d88f58693eaf0bb207907ef;p=strace

sock: fix decoding of struct ifreq.ifr_name

The ifr name fields of the ifreq structure might not be NUL terminated.
If the user makes an ioctl call where they aren't, then strace ends up
reading random content from its own stack.  Limit the printf lengths.

* sock.c (sock_ioctl): Add explicit length limits to ifr_name printfs.
---

diff --git a/sock.c b/sock.c
index dca9bfd4..d04e8330 100644
--- a/sock.c
+++ b/sock.c
@@ -131,12 +131,14 @@ sock_ioctl(struct tcb *tcp, long code, long arg)
 			if (code == SIOCGIFNAME || code == SIOCSIFNAME)
 				tprintf(", {ifr_index=%d, ifr_name=???}", ifr.ifr_ifindex);
 			else
-				tprintf(", {ifr_name=\"%s\", ???}", ifr.ifr_name);
+				tprintf(", {ifr_name=\"%.*s\", ???}",
+					IFNAMSIZ, ifr.ifr_name);
 		} else if (code == SIOCGIFNAME || code == SIOCSIFNAME)
-			tprintf(", {ifr_index=%d, ifr_name=\"%s\"}",
-				ifr.ifr_ifindex, ifr.ifr_name);
+			tprintf(", {ifr_index=%d, ifr_name=\"%.*s\"}",
+				ifr.ifr_ifindex, IFNAMSIZ, ifr.ifr_name);
 		else {
-			tprintf(", {ifr_name=\"%s\", ", ifr.ifr_name);
+			tprintf(", {ifr_name=\"%.*s\", ",
+				IFNAMSIZ, ifr.ifr_name);
 			switch (code) {
 			case SIOCGIFINDEX:
 				tprintf("ifr_index=%d", ifr.ifr_ifindex);
@@ -237,8 +239,8 @@ sock_ioctl(struct tcb *tcp, long code, long arg)
 			for (i = 0; i < nifra; ++i ) {
 				if (i > 0)
 					tprints(", ");
-				tprintf("{\"%s\", {",
-					ifra[i].ifr_name);
+				tprintf("{\"%.*s\", {",
+					IFNAMSIZ, ifra[i].ifr_name);
 				if (verbose(tcp)) {
 					printxval(addrfams,
 						  ifra[i].ifr_addr.sa_family,