From: Qualys Security Advisory Date: Thu, 1 Jan 1970 00:00:00 +0000 (+0000) Subject: 0042-proc/slab.h: Fix off-by-one overflow in sscanf(). X-Git-Tag: v4.0.0~601 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=d1729bed6b741cc6112e4da72c3bae286bbb9f7c;p=procps-ng 0042-proc/slab.h: Fix off-by-one overflow in sscanf(). In proc/slab.c, functions parse_slabinfo20() and parse_slabinfo11(), sscanf() might overflow curr->name, because "String input conversions store a terminating null byte ('\0') to mark the end of the input; the maximum field width does not include this terminator." Add one byte to name[] for this terminator. ---------------------------- adapted for newlib branch . file is now proc/slabinfo.c (not .h) . manifest constant renamed SLABINFO_NAME_LEN . older parse_slabinfo11() function no longer present Signed-off-by: Jim Warner --- diff --git a/proc/slabinfo.c b/proc/slabinfo.c index ba0219c4..966cf7d3 100644 --- a/proc/slabinfo.c +++ b/proc/slabinfo.c @@ -76,7 +76,7 @@ struct slabs_summ { }; struct slabs_node { - char name[SLABINFO_NAME_LEN]; // name of this cache + char name[SLABINFO_NAME_LEN+1]; // name of this cache unsigned long cache_size; // size of entire cache unsigned int nr_objs; // number of objects in this cache unsigned int nr_active_objs; // number of active objects