From 418cda65f752e367fa663fd13884a45fcbc39ddd Mon Sep 17 00:00:00 2001 From: Alexander Bluhm Date: Thu, 10 Aug 2017 19:38:24 +0200 Subject: Do not overrun plugin string when copying it. parse_plugin() expands the % in plugin string to plugin_copy. It checks that is does not write behind the end of the destination memory, but the source length was not checked. This resulted in reading from a possibly invalid memory location which may cause a segmentation fault. Add a check for the string length of the source. --- socket.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/socket.c b/socket.c index 546a6bd4..93e43e69 100644 --- a/socket.c +++ b/socket.c @@ -111,7 +111,7 @@ static char *const *parse_plugin(const char *plugin, const char *host, const cha return NULL; } - while (plugin_copy_offset < plugin_copy_len) + while (plugin_offset < plugin_len && plugin_copy_offset < plugin_copy_len) { if ((plugin[plugin_offset] == '%') && (plugin[plugin_offset + 1] == 'h')) { strcpy(plugin_copy + plugin_copy_offset, host); plugin_offset += 2; -- cgit v1.2.3 From 010433d2c8c99e2a7895cdfa45c50f8c11b6812c Mon Sep 17 00:00:00 2001 From: Matthias Andree Date: Fri, 11 Aug 2017 15:57:33 +0200 Subject: Add a FIXME comment. --- socket.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/socket.c b/socket.c index 93e43e69..f836115f 100644 --- a/socket.c +++ b/socket.c @@ -130,6 +130,8 @@ static char *const *parse_plugin(const char *plugin, const char *host, const cha } plugin_copy[plugin_copy_len] = 0; + /* XXX FIXME - is this perhaps a bit too simplistic to chop down the argument strings without any respect to quoting? + * better write a generic function that tracks arguments instead... */ argvec = (char **)malloc(s); if (!argvec) { -- cgit v1.2.3