From: Subrata <sub...@us...> - 2008-10-17 11:16:46
|
Update of /cvsroot/ltp/ltp/testcases/kernel/syscalls/symlink In directory ddv4jf1.ch3.sourceforge.com:/tmp/cvs-serv25735/ltp/testcases/kernel/syscalls/symlink Modified Files: symlink01.c Log Message: When compiling with -D_FORTIFY_SOURCE=2 following buffer-overflow gets detected: Starting program: /root/ltp/ltp-full-20080916/testcases/kernel/syscalls/symlink/symlink01 symlink01 1 PASS : Creation of symbolic link file to no object file is ok symlink01 2 PASS : Creation of symbolic link file to no object file is ok symlink01 3 PASS : Creation of symbolic link file and object file via symbolic link is ok symlink01 4 PASS : Creating an existing symbolic link file error is caught *** buffer overflow detected ***: /root/ltp/ltp-full-20080916/testcases/kernel/syscalls/symlink/symlink01 terminated ======= Backtrace: ========= /lib64/libc.so.6(__chk_fail+0x2f)[0x2b5ae730f31f] /lib64/libc.so.6[0x2b5ae730e3c3] /root/ltp/ltp-full-20080916/testcases/kernel/syscalls/symlink/symlink01[0x4048fe] /root/ltp/ltp-full-20080916/testcases/kernel/syscalls/symlink/symlink01[0x403e7b] /root/ltp/ltp-full-20080916/testcases/kernel/syscalls/symlink/symlink01[0x4047b7] /lib64/libc.so.6(__libc_start_main+0xf4)[0x2b5ae725a184] /root/ltp/ltp-full-20080916/testcases/kernel/syscalls/symlink/symlink01[0x401c39] (gdb) bt #0 0x00002b5ae726cbb5 in raise () from /lib64/libc.so.6 #1 0x00002b5ae726dfb0 in abort () from /lib64/libc.so.6 #2 0x00002b5ae72a332b in __libc_message () from /lib64/libc.so.6 #3 0x00002b5ae730f31f in __chk_fail () from /lib64/libc.so.6 #4 0x00002b5ae730e3c3 in __strcat_chk () from /lib64/libc.so.6 #5 0x00000000004048fe in creat_path_max (path1=0x409d88 "object", path2=<value optimized out>, path3=<value optimized out>) Read from remote host #6 0x0000000000403e7b in do_syscalltests (tcs=0x50cec0) at symlink01.c:958 #7 0x00000000004047b7 in main (argc=<value optimized out>, argv=<value optimized out>) at symlink01.c:569 (gdb) up #1 0x00002b5ae726dfb0 in abort () from /lib64/libc.so.6 (gdb) #2 0x00002b5ae72a332b in __libc_message () from /lib64/libc.so.6 (gdb) #3 0x00002b5ae730f31f in __chk_fail () from /lib64/libc.so.6 (gdb) #4 0x00002b5ae730e3c3 in __strcat_chk () from /lib64/libc.so.6 (gdb) #5 0x00000000004048fe in creat_path_max (path1=0x409d88 "object", path2=<value optimized out>, path3=<value optimized out>) at symlink01.c:844 844 strcat(full_path, "Z"); Variable full_path exceeds PATH_MAX limit in creat_path_max(), to avoid a buffer overflow the size of full_path needs to be incremented by one. Signed-off-by: Daniel Gollub <dg...@su...>. Index: symlink01.c =================================================================== RCS file: /cvsroot/ltp/ltp/testcases/kernel/syscalls/symlink/symlink01.c,v retrieving revision 1.8 retrieving revision 1.9 diff -C2 -d -r1.8 -r1.9 *** symlink01.c 21 Jan 2008 11:16:18 -0000 1.8 --- symlink01.c 17 Oct 2008 10:05:59 -0000 1.9 *************** *** 489,493 **** char *Selectedtests = NULL; /* Name (tcid) of selected test cases */ char test_msg[BUFMAX]; ! char full_path[PATH_MAX+1]; extern int Tst_count; extern char *TESTDIR; --- 489,493 ---- char *Selectedtests = NULL; /* Name (tcid) of selected test cases */ char test_msg[BUFMAX]; ! char full_path[PATH_MAX+1+1]; /* Add one for '\0' and another to exceed the PATH_MAX limit, see creat_path_max() */ extern int Tst_count; extern char *TESTDIR; |