From c8c33ad7f94c59d1c0676af0cfd61207b3e808db Mon Sep 17 00:00:00 2001 From: Jan Viktorin Date: Tue, 3 May 2016 21:15:27 +0200 Subject: [PATCH] app/test: fix buffer overflow A bug has been detected by valgrind: Invalid write of size 1 by 0x86ECC76: sprintf (in /usr/lib/libc-2.23.so) by 0x430B0A: commands_init (in build/app/test) by 0x42F215: main (in build/app/test) Address 0x9d72ff2 is 0 bytes after a block of size 1,346 alloc'd at 0x78C1BD0: malloc (in vgpreload_memcheck-amd64-linux.so) by 0x430AE4: commands_init (in build/app/test) by 0x42F215: main (in build/app/test) The commands buffer is exactly 1346 B long so there is an access just after the buffer. The sprintf always writes '\0' at the end of the string. The '#' separator adds 1 B more to each string. This is correct until the last string is sprinted there. The last one is 1 B longer then expected, i.e.: strlen(t->command) + strlen("#") + ONE_FOR_ZERO Fixes: 727909c59231 ("app/test: introduce dynamic commands list") Signed-off-by: Jan Viktorin Acked-by: David Marchand --- app/test/commands.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/test/commands.c b/app/test/commands.c index 9cb9606ece..e0af8e4192 100644 --- a/app/test/commands.c +++ b/app/test/commands.c @@ -439,7 +439,7 @@ int commands_init(void) commands_len += strlen(t->command) + 1; } - commands = malloc(commands_len); + commands = malloc(commands_len + 1); if (!commands) return -1; -- 2.20.1