#2525 5.7.2 will crash/overflow when processing argv greater than BUFSIZ in swrun_kinfo.c

freeBSD
duplicate
None
2
2014-03-10
2014-02-24
Ryan Steinmetz
No

5.7.2 will crash if a running process has arguments that are longer than BUFSIZ. An easy way to recreate this is to create a shell script with:
sleep 9999

in it and then call it with:

./test.sh a really long string here

Then, run snmpwalk against the host. snmpd will crash.

In agent/mibgroup/host/data_access/swrun_kinfo.c, we use strcat() and will overflow the buffer (buf) if argv is larger than BUFSIZ bytes.

The attached patch will truncate anything beyond BUFSIZ and prevent snmpd from crashing.

1 Attachments

Discussion

  • Niels Baggesen
    Niels Baggesen
    2014-02-24

    • status: open --> duplicate
    • assigned_to: Niels Baggesen
     
  • Niels Baggesen
    Niels Baggesen
    2014-02-24

    Thanks for the report.
    This problem has already been fixed by the patch attached to bug 2286.

     
  • Ryan Steinmetz
    Ryan Steinmetz
    2014-02-24

    This bug still exists even with the patch from 2286. It is caused by us adding spaces (via strcat()) in the while() loop when iterating through argv:

        buf[0] = '\0';
        buf[1] = '\0';
        if (argv)
            argv++;    /* Skip argv[0] */
        while ( argv && *argv ) {
            strcat(buf, " ");
            strcat(buf, *argv);
            argv++;
        }
    

    The patch from #2286 only limits the number of characters returned, but does not factor in that we loop through the arguments and insert spaces between them when building the string that we place into 'buf'.

    2286 also does not factor in that we consume the first two bytes with NULLs.

     
    Last edit: Ryan Steinmetz 2014-02-25
  • Ryan Steinmetz
    Ryan Steinmetz
    2014-02-24

    I think this is a more complete patch than the one from #2286.

    Reproducing this is simple: Apply the patch from #2286, then ensure that your arguments string also has a ton of spaces in it and exceeds BUFSIZ characters total.

     
    Last edit: Ryan Steinmetz 2014-02-24
  • Wes Hardaker
    Wes Hardaker
    2014-02-25

    Patch applied to 5.5 branches and up. Thank you!