From e41c35ae569f52ee5b2150e9c1d931b0eba5831c Mon Sep 17 00:00:00 2001 From: Andrej Antunovikj Date: Mon, 25 Nov 2019 23:22:53 +0400 Subject: [PATCH] kernel/elf: Replace sprintf with snprintf In two places in elf.cpp, sprintf is used which does not check for buffer overflows. This could potentially lead to malicious executables trying to reach memory they are not supposed to. Instead, it's possible to use snprintf with a sizeof() call. I'm not very well-versed into C/C++, so this is just based on what I've learned. Please do provide feedback, I would like to get into more useful contributions :) Change-Id: I9c36a9938f9c99b3849e77aa9cd2eab313f5bb95 Reviewed-on: https://review.haiku-os.org/c/haiku/+/1975 Reviewed-by: Adrien Destugues --- src/system/kernel/elf.cpp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/system/kernel/elf.cpp b/src/system/kernel/elf.cpp index 0883e523e3..4706f4c3db 100644 --- a/src/system/kernel/elf.cpp +++ b/src/system/kernel/elf.cpp @@ -1913,8 +1913,8 @@ elf_load_user_image(const char *path, Team *team, uint32 flags, addr_t *entry) leaf++; length = strlen(leaf); - if (length > B_OS_NAME_LENGTH - 8) - sprintf(baseName, "...%s", leaf + length + 8 - B_OS_NAME_LENGTH); + if (length > B_OS_NAME_LENGTH - 16) + snprintf(baseName, B_OS_NAME_LENGTH, "...%s", leaf + length + 16 - B_OS_NAME_LENGTH); else strcpy(baseName, leaf); } @@ -1961,7 +1961,7 @@ elf_load_user_image(const char *path, Team *team, uint32 flags, addr_t *entry) memUpperBound = ROUNDUP(memUpperBound, B_PAGE_SIZE); fileUpperBound = ROUNDUP(fileUpperBound, B_PAGE_SIZE); - sprintf(regionName, "%s_seg%drw", baseName, i); + snprintf(regionName, B_OS_NAME_LENGTH, "%s_seg%drw", baseName, i); id = vm_map_file(team->id, regionName, (void **)®ionAddress, addressSpec, fileUpperBound,