Martin Pitt [2014-12-15 12:50 +0100]:
> #7 0x5659c185 in time_get_dst (date=1418644009, tzfile=0x5659e9ee
> "/etc/localtime", switch_cur=0xffffd81c, zone_cur=0xffffd810,
> dst_cur=0xffffd809, switch_next=0xffffd824, delta_next=0xffffd820,
> zone_next=0xffffd814, dst_next=0xffffd80a)
> at src/shared/time-dst.c:104
> at src/shared/time-dst.c:104
> type_idxs = 0x565b98d8 ""
> num_types = 1
> types = 0x565b98d8
> zone_names = 0x565b98e0 "UTC"
> st = {st_dev = 40, __pad1 = 348, __st_ino = 351284, st_mode = 33188,
> st_nlink = 1, st_uid = 0, st_gid = 0, st_rdev = 0,
> __pad2 = 4, st_size = 118, st_blksize = 4096, st_blocks = 8,
> st_atim = {tv_sec = 1418641254, tv_nsec = 924653672},
> st_mtim = {tv_sec = 1418641254, tv_nsec = 920653672}, st_ctim =
> {tv_sec = 1418641254, tv_nsec = 920653672},
> st_ino = 351284}
> num_isstd = 1
> num_isgmt = 1
> tzhead = {tzh_magic = "TZif", tzh_version = "2", tzh_reserved =
> '\000' <repeats 14 times>,
> tzh_ttisgmtcnt = "\000\000\000\001", tzh_ttisstdcnt =
> "\000\000\000\001", tzh_leapcnt = "\000\000\000",
> tzh_timecnt = "\000\000\000", tzh_typecnt = "\000\000\000\001",
> tzh_charcnt = "\000\000\000\004"}
> chars = 4
> i = 1
> total_size = 12
> types_idx = 0
> trans_width = 4
> tzspec_len = 0
> num_leaps = 0
> lo = 4294956851
> hi = 1
> num_transitions = 0
> transitions = 0x565b98d8
> f = 0x565b9970To clarify: 186 transitions = malloc0(total_size + tzspec_len); transitions gets 12 bytes allocated (see above frame for values of variables). 192 types = (struct ttinfo *)((char *)transitions + types_idx); As types_idx == 0, types == transitions, thus 12 bytes long. 193 zone_names = (char *)types + num_types * sizeof(struct ttinfo); num_types == 1, thus zone_names == types + 8, i. e. zone_names is 4 bytes. chars is 4 bytes, thus 247 zone_names[chars] = '\0'; writes at zone_names[4] aka transitions[12] which is one byte past the allocated buffer. I think the most robust solution would be to just allocate an extra byte so that we can always actually fit that null byte. Does that sound ok? Thanks, Martin -- Martin Pitt | http://www.piware.de Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)
From 597f3557b73ae0b4b449dc54b6b0e0a720864051 Mon Sep 17 00:00:00 2001 From: Martin Pitt <[email protected]> Date: Mon, 15 Dec 2014 13:06:48 +0100 Subject: [PATCH] shared: time-dst: Avoid buffer overflow Commit 681f9718 introduced an additional null terminator for the zone names. Increase the allocation of "transitions" to actually make room for this. --- src/shared/time-dst.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/shared/time-dst.c b/src/shared/time-dst.c index 926d22b..1ce6f72 100644 --- a/src/shared/time-dst.c +++ b/src/shared/time-dst.c @@ -183,7 +183,8 @@ read_again: return -EINVAL; } - transitions = malloc0(total_size + tzspec_len); + /* leave space for additional zone_names zero terminator */ + transitions = malloc0(total_size + tzspec_len + 1); if (transitions == NULL) return -EINVAL; -- 2.1.3
signature.asc
Description: Digital signature
_______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
