From: "Steven Rostedt (VMware)" <rostedt@xxxxxxxxxxx>
Need to tell scanf() the size of the mapname so that we don't risk a buffer
overflow. As STRINGIFY() will make a string from the size, we can't use
"PATH_MAX + 22", but 4096 should be plenty big enough.
Signed-off-by: Steven Rostedt (VMware) <rostedt@xxxxxxxxxxx>
---
lib/trace-cmd/trace-input.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/lib/trace-cmd/trace-input.c b/lib/trace-cmd/trace-input.c
index 8cceb31c..1db1bffa 100644
--- a/lib/trace-cmd/trace-input.c
+++ b/lib/trace-cmd/trace-input.c
@@ -20,6 +20,9 @@
#include "kbuffer.h"
#include "list.h"
+#define _STRINGIFY(x) #x
+#define STRINGIFY(x) _STRINGIFY(x)
+
#define MISSING_EVENTS (1 << 31)
#define MISSING_STORED (1 << 30)
@@ -2164,11 +2167,12 @@ static void procmap_free(struct pid_addr_maps *maps)
free(maps);
}
-#define STR_PROCMAP_LINE_MAX (PATH_MAX+22)
+/* Needs to be a constant, and 4K should be good enough */
+#define STR_PROCMAP_LINE_MAX 4096
static int trace_pid_map_load(struct tracecmd_input *handle, char *buf)
{
struct pid_addr_maps *maps = NULL;
- char mapname[STR_PROCMAP_LINE_MAX];
+ char mapname[STR_PROCMAP_LINE_MAX+1];
char *line;
int res;
int ret;
@@ -2187,7 +2191,7 @@ static int trace_pid_map_load(struct tracecmd_input *handle, char *buf)
if (strlen(buf) > STR_PROCMAP_LINE_MAX)
goto out_fail;
- res = sscanf(buf, "%x %x %s", &maps->pid, &maps->nr_lib_maps, mapname);
+ res = sscanf(buf, "%x %x %"STRINGIFY(STR_PROCMAP_LINE_MAX)"s", &maps->pid, &maps->nr_lib_maps, mapname);
if (res != 3)
goto out_fail;
--
2.20.1
|