From: <ro...@us...> - 2004-01-12 17:44:18
|
Update of /cvsroot/ltp/ltp/testcases/kernel/syscalls/pipe In directory sc8-pr-cvs1:/tmp/cvs-serv31506/testcases/kernel/syscalls/pipe Modified Files: pipe07.c Log Message: Applied patch from Erik Andersen: ================================ I just got around to running the latest ltp with uClibc and noticed a new FAIL regression in pipe07. After hunting through uClibc's stdio code I was puzzled to find we were internally trying to fopen a filename with pipes and redirects in it, rather than the filename that had been explicitly passed into fopen. The filename matched up with the format string from pipe07.c line 87. The made me strongly suspect a buffer overflow. Running 'valgrind' on pipe07 confirmed that uClibc's _stdio_write was doing some scribbling where it shouldn't be. Visual inspection by myself and my colleague Manuel Novoa quickly led us to notice the actual buffer overflow, which occurs on line 87-88 of pipe07.c when printf writes into a malloc'd buffer the size of a char pointer (i.e. 4 bytes on x86). The rest of the string was then scribbled all over. This bug is a new regression introduced within the last month, and certainly explains the "For some reason, a SIGSEGV was generated" comment in rev 1.4. Please apply, -Erik ================================ Index: pipe07.c =================================================================== RCS file: /cvsroot/ltp/ltp/testcases/kernel/syscalls/pipe/pipe07.c,v retrieving revision 1.5 retrieving revision 1.6 diff -u -d -r1.5 -r1.6 --- pipe07.c 15 Dec 2003 17:08:10 -0000 1.5 +++ pipe07.c 12 Jan 2004 17:44:15 -0000 1.6 @@ -84,8 +84,9 @@ setup(); /* Get the currently used number of file descriptors */ mypid=getpid(); - cmdstring=malloc(sizeof(cmdstring)); - sprintf(cmdstring,"ls -A -1 /proc/%d/fd | wc -l | awk {'print $1'}> pipe07.tmp",mypid); + cmdstring=malloc(BUFSIZ); + snprintf(cmdstring, BUFSIZ, "ls -A -1 /proc/%d/fd | " + "wc -l | awk {'print $1'}> pipe07.tmp", mypid); if (system(cmdstring) == 0) { f = fopen("pipe07.tmp", "r"); |