From 0bc1c0ae7ce61a7ac8a8e9a9b2086268f011abf0 Mon Sep 17 00:00:00 2001 From: Steve Dickson <steved@redhat.com> Date: Tue, 9 Oct 2018 09:19:50 -0400 Subject: [PATCH] rpcinfo: Fix stack buffer overflow *** buffer overflow detected ***: rpcinfo terminated ======= Backtrace: ========= /lib64/libc.so.6(+0x721af)[0x7ff24c4451af] /lib64/libc.so.6(__fortify_fail+0x37)[0x7ff24c4ccdc7] /lib64/libc.so.6(+0xf8050)[0x7ff24c4cb050] rpcinfo(+0x435f)[0xef3be2635f] rpcinfo(+0x1c62)[0xef3be23c62] /lib64/libc.so.6(__libc_start_main+0xf5)[0x7ff24c3f36e5] rpcinfo(+0x2739)[0xef3be24739] ======= Memory map: ======== ... The patch below fixes it. Reviewed-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Thomas Blume <thomas.blume@suse.com> Signed-off-by: Steve Dickson <steved@redhat.com> --- src/rpcinfo.c | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/src/rpcinfo.c b/src/rpcinfo.c index 9b46864..cfdba88 100644 --- a/src/rpcinfo.c +++ b/src/rpcinfo.c @@ -973,6 +973,7 @@ rpcbdump (dumptype, netid, argc, argv) (" program version(s) netid(s) service owner\n"); for (rs = rs_head; rs; rs = rs->next) { + size_t netidmax = sizeof(buf) - 1; char *p = buf; printf ("%10ld ", rs->prog); @@ -985,12 +986,22 @@ rpcbdump (dumptype, netid, argc, argv) } printf ("%-10s", buf); buf[0] = '\0'; - for (nl = rs->nlist; nl; nl = nl->next) - { - strcat (buf, nl->netid); - if (nl->next) - strcat (buf, ","); - } + + for (nl = rs->nlist; nl; nl = nl->next) + { + strncat (buf, nl->netid, netidmax); + if (strlen (nl->netid) < netidmax) + netidmax -= strlen(nl->netid); + else + break; + + if (nl->next && netidmax > 1) + { + strncat (buf, ",", netidmax); + netidmax --; + } + } + printf ("%-32s", buf); rpc = getrpcbynumber (rs->prog); if (rpc) -- 2.22.0