commit 1dbd39e85f567740dc00bae126741bdb9c2d777a
author Dmitry V. Levin <ldv@altlinux.org> Sat Feb 28 14:50:09 2015 +0000
committer Dmitry V. Levin <ldv@altlinux.org> Sat Feb 28 14:50:09 2015 +0000
tree db327e4a6b6e25c580de589c101dedd8260a07f1
parent 7211dbcb2f8a43eb5d36bd15c7ba1267ba21e223

Fix stack buffer overflow when specified command is too long

* strace.c (startup_child): Check that the length of the command strace
is going to execute does not exceed PATH_MAX limit.

Reported-by: Cheolung Lee <chpie@grayhash.com>

strace.c

diff --git a/strace.c b/strace.c
index fccf4ad..b714255 100644
--- a/strace.c
+++ b/strace.c
@@ -1157,16 +1157,19 @@
 {
 	struct_stat statbuf;
 	const char *filename;
+	size_t filename_len;
 	char pathname[PATH_MAX];
 	int pid;
 	struct tcb *tcp;
 
 	filename = argv[0];
+	filename_len = strlen(filename);
+
+	if (filename_len > sizeof(pathname) - 1) {
+		errno = ENAMETOOLONG;
+		perror_msg_and_die("exec");
+	}
 	if (strchr(filename, '/')) {
-		if (strlen(filename) > sizeof pathname - 1) {
-			errno = ENAMETOOLONG;
-			perror_msg_and_die("exec");
-		}
 		strcpy(pathname, filename);
 	}
 #ifdef USE_DEBUGGING_EXEC
@@ -1203,6 +1206,8 @@
 			}
 			if (len && pathname[len - 1] != '/')
 				pathname[len++] = '/';
+			if (filename_len + len > sizeof(pathname) - 1)
+				continue;
 			strcpy(pathname + len, filename);
 			if (stat_file(pathname, &statbuf) == 0 &&
 			    /* Accept only regular files
@@ -1212,6 +1217,8 @@
 			    (statbuf.st_mode & 0111))
 				break;
 		}
+		if (!path || !*path)
+			pathname[0] = '\0';
 	}
 	if (stat_file(pathname, &statbuf) < 0) {
 		perror_msg_and_die("Can't stat '%s'", filename);