- From:
- Christian Weisgerber <naddy@mips.inka.de>
- Subject:
- Assert against argv[] overflow in got_dial_ssh()
- To:
- gameoftrees@openbsd.org
- Date:
- Sun, 5 Sep 2021 23:12:22 +0200
Download raw body.
Thread
Assert against argv[] overflow in got_dial_ssh()
Download raw body.
Assert against argv[] overflow in got_dial_ssh()
Everytime I look at dial_ssh(), I see a caltrop on the street waiting
for somebody to step on.
Can we assert() against somebody adding an extra argument and
accidentally overflowing argv[]?
diff 5e5da8c4bcc83f7737a115b8da52fc3935fe3a6b /home/naddy/got
blob - 1220c48e7f2ace97395c12e5a3af43b9c0bdc410
file + lib/dial.c
--- lib/dial.c
+++ lib/dial.c
@@ -20,6 +20,7 @@
#include <sys/socket.h>
#include <netdb.h>
+#include <assert.h>
#include <err.h>
#include <stdio.h>
#include <stdlib.h>
@@ -31,6 +32,10 @@
#include "got_lib_dial.h"
+#ifndef nitems
+#define nitems(_a) (sizeof((_a)) / sizeof((_a)[0]))
+#endif
+
#ifndef ssizeof
#define ssizeof(_x) ((ssize_t)(sizeof(_x)))
#endif
@@ -216,6 +221,7 @@ got_dial_ssh(pid_t *newpid, int *newfd, const char *ho
argv[i++] = (char *)cmd;
argv[i++] = (char *)path;
argv[i++] = NULL;
+ assert(i <= nitems(argv));
if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, pfd) == -1)
return got_error_from_errno("socketpair");
--
Christian "naddy" Weisgerber naddy@mips.inka.de
Assert against argv[] overflow in got_dial_ssh()