Buffer overflow in multiline-mode

kosh · February 24, 2011, 05:33:25 PM

Code Select Expand
$ ./newlisp
newLISP v.10.3.0 on Linux IPv4/6 UTF-8, execute 'newlisp -h' for more info.

>
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ... (Large strings MAX_COMMAND_LINE or more)
*** buffer overflow detected ***: ./newlisp terminated
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x50)[0x1f2390]
/lib/tls/i686/cmov/libc.so.6(+0xe12ca)[0x1f12ca]
./newlisp[0x8055870]
./newlisp[0x8055f52]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe6)[0x126bd6]
./newlisp[0x804a921]
======= Memory map: ========
...

Patch is below:

Code Select Expand
$ diff -u newlisp_orig.c newlisp.c 
--- newlisp_orig.c	2011-02-25 09:48:10.000000000 +0900
+++ newlisp.c	2011-02-25 09:48:47.000000000 +0900
@@ -1059,12 +1059,15 @@
 	openStrStream(cmdStream, 1024, TRUE);
 	for(;;)
 		{
+                memset(buff, '', MAX_COMMAND_LINE); /* initialize buffer */
 		if(isTTY) 
 			{
 			cmd = getCommandLine(TRUE);
-			strncpy(buff, cmd, MAX_COMMAND_LINE -1);
 #ifdef READLINE
+			strncpy(buff, cmd, MAX_COMMAND_LINE -2);
 			strlcat(buff, "n", 1);
+#else
+                        strncpy(buff, cmd, MAX_COMMAND_LINE -1);
 #endif
 			free(cmd);
 			}

Lutz · February 25, 2011, 04:53:43 AM

Thanks Kosh, the merged change can be found here:

http://www.newlisp.org/downloads/development/inprogress/">http://www.newlisp.org/downloads/develo ... nprogress/">http://www.newlisp.org/downloads/development/inprogress/

newLISP Fan Club

News:

Buffer overflow in multiline-mode

kosh

Lutz