[CRIU] [PATCH] proc_parse: check that scanf fill the offset var
Andrey Vagin
avagin at openvz.org
Wed Aug 6 07:03:51 PDT 2014
CID 1168165 (#2 of 2): Untrusted array index read (TAINTED_SCALAR)
40. tainted_data: Using tainted variable "hoff" as an index into an
array "str"
$ man 3 scanf
n Nothing is expected; instead, the number of characters consumed
thus far from the input is stored through the next pointer,
which must be a pointer to int. This is not a conversion,
although it can be suppressed with the * assignment-suppression
character. The C standard says: "Execution of a %n directive
does not increment the assignment count returned at the comple‐
tion of execution" but the Corrigendum seems to contradict this.
Probably it is wise not to make any assumptions on the effect of
%n conversions on the return value.
So it isn't not enough to check a return code from scanf().
Cc: Cyrill Gorcunov <gorcunov at openvz.org>
Signed-off-by: Andrey Vagin <avagin at openvz.org>
---
proc_parse.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/proc_parse.c b/proc_parse.c
index b0333be..78a59bf 100644
--- a/proc_parse.c
+++ b/proc_parse.c
@@ -1153,7 +1153,7 @@ static int parse_fdinfo_pid_s(char *pid, int fd, int type,
if (fdinfo_field(str, "fanotify ino")) {
FanotifyInodeMarkEntry ie = FANOTIFY_INODE_MARK_ENTRY__INIT;
FhEntry f_handle = FH_ENTRY__INIT;
- int hoff;
+ int hoff = 0;
if (type != FD_TYPES__FANOTIFY)
goto parse_err;
@@ -1169,7 +1169,7 @@ static int parse_fdinfo_pid_s(char *pid, int fd, int type,
&entry.ffy.mflags, &entry.ffy.mask, &entry.ffy.ignored_mask,
&f_handle.bytes, &f_handle.type,
&hoff);
- if (ret != 7)
+ if (ret != 7 || hoff == 0)
goto parse_err;
if (alloc_fhandle(&f_handle)) {
--
1.8.5.3
More information about the CRIU
mailing list