projects
/
lttng-tools.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Fix: scanf unbounded input
[lttng-tools.git]
/
src
/
bin
/
lttng
/
commands
/
enable_events.c
diff --git
a/src/bin/lttng/commands/enable_events.c
b/src/bin/lttng/commands/enable_events.c
index 29a399e9714ac280011a41837619d500c452bdcd..bd2d997858395ea164b6bbbf410adc258d5eea28 100644
(file)
--- a/
src/bin/lttng/commands/enable_events.c
+++ b/
src/bin/lttng/commands/enable_events.c
@@
-30,6
+30,10
@@
#include "../command.h"
#include <src/common/sessiond-comm/sessiond-comm.h>
#include "../command.h"
#include <src/common/sessiond-comm/sessiond-comm.h>
+#if (LTTNG_SYMBOL_NAME_LEN == 256)
+#define LTTNG_SYMBOL_NAME_LEN_SCANF_IS_A_BROKEN_API "255"
+#endif
+
static char *opt_event_list;
static int opt_event_type;
static const char *opt_loglevel;
static char *opt_event_list;
static int opt_event_type;
static const char *opt_loglevel;
@@
-226,6
+230,7
@@
static int parse_probe_opts(struct lttng_event *ev, char *opt)
{
int ret;
char s_hex[19];
{
int ret;
char s_hex[19];
+#define S_HEX_LEN_SCANF_IS_A_BROKEN_API "18" /* 18 is (19 - 1) (\0 is extra) */
char name[LTTNG_SYMBOL_NAME_LEN];
if (opt == NULL) {
char name[LTTNG_SYMBOL_NAME_LEN];
if (opt == NULL) {
@@
-234,7
+239,8
@@
static int parse_probe_opts(struct lttng_event *ev, char *opt)
}
/* Check for symbol+offset */
}
/* Check for symbol+offset */
- ret = sscanf(opt, "%[^'+']+%s", name, s_hex);
+ ret = sscanf(opt, "%" LTTNG_SYMBOL_NAME_LEN_SCANF_IS_A_BROKEN_API
+ "[^'+']+%" S_HEX_LEN_SCANF_IS_A_BROKEN_API "s", name, s_hex);
if (ret == 2) {
strncpy(ev->attr.probe.symbol_name, name, LTTNG_SYMBOL_NAME_LEN);
ev->attr.probe.symbol_name[LTTNG_SYMBOL_NAME_LEN - 1] = '\0';
if (ret == 2) {
strncpy(ev->attr.probe.symbol_name, name, LTTNG_SYMBOL_NAME_LEN);
ev->attr.probe.symbol_name[LTTNG_SYMBOL_NAME_LEN - 1] = '\0';
@@
-252,7
+258,8
@@
static int parse_probe_opts(struct lttng_event *ev, char *opt)
/* Check for symbol */
if (isalpha(name[0])) {
/* Check for symbol */
if (isalpha(name[0])) {
- ret = sscanf(opt, "%s", name);
+ ret = sscanf(opt, "%" LTTNG_SYMBOL_NAME_LEN_SCANF_IS_A_BROKEN_API "s",
+ name);
if (ret == 1) {
strncpy(ev->attr.probe.symbol_name, name, LTTNG_SYMBOL_NAME_LEN);
ev->attr.probe.symbol_name[LTTNG_SYMBOL_NAME_LEN - 1] = '\0';
if (ret == 1) {
strncpy(ev->attr.probe.symbol_name, name, LTTNG_SYMBOL_NAME_LEN);
ev->attr.probe.symbol_name[LTTNG_SYMBOL_NAME_LEN - 1] = '\0';
@@
-265,7
+272,7
@@
static int parse_probe_opts(struct lttng_event *ev, char *opt)
}
/* Check for address */
}
/* Check for address */
- ret = sscanf(opt, "%s", s_hex);
+ ret = sscanf(opt, "%
" S_HEX_LEN_SCANF_IS_A_BROKEN_API "
s", s_hex);
if (ret > 0) {
if (*s_hex == '\0') {
ERR("Invalid probe address %s", s_hex);
if (ret > 0) {
if (*s_hex == '\0') {
ERR("Invalid probe address %s", s_hex);
This page took
0.025883 seconds
and
4
git commands to generate.