| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 7 Jan 2018 02:31:49 +0800
From: Antonio Quartulli <a@...table.cc>
To: netdev@...r.kernel.org
Cc: Antonio Quartulli <a@...table.cc>,
Stefano Brivio <sbrivio@...hat.com>,
Stephen Hemminger <stephen@...workplumber.org>
Subject: [iproute2 1/2] ss: fix crash when skipping disabled header field
When the first header field is disabled (i.e. when passing the -t
option), field_flush() is invoked with the `buffer` global variable
still zero'd.
However, in field_flush() we try to access buffer.cur->len
during variables initialization, thus leading to a SIGSEGV.
It's interesting to note that this bug appears only when the code
is compiled with -O0, because the compiler is smart
enough to immediately jump to the return statement if optimizations
are enabled and skip the faulty instruction.
Cc: Stefano Brivio <sbrivio@...hat.com>
Cc: Stephen Hemminger <stephen@...workplumber.org>
Signed-off-by: Antonio Quartulli <a@...table.cc>
---
misc/ss.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/misc/ss.c b/misc/ss.c
index 1abf43d0..b35859dc 100644
--- a/misc/ss.c
+++ b/misc/ss.c
@@ -1018,12 +1018,15 @@ static void print_right_spacing(struct column *f, int printed)
/* Done with field: update buffer pointer, start new token after current one */
static void field_flush(struct column *f)
{
- struct buf_chunk *chunk = buffer.tail;
- unsigned int pad = buffer.cur->len % 2;
+ struct buf_chunk *chunk;
+ unsigned int pad;
if (f->disabled)
return;
+ chunk = buffer.tail;
+ pad = buffer.cur->len % 2;
+
if (buffer.cur->len > f->max_len)
f->max_len = buffer.cur->len;
--
2.15.1
Powered by blists - more mailing lists