From: Stephen Hemminger <stephen@networkplumber.org>
Date: Mon, 18 Dec 2017 17:51:02 +0000 (-0800)
Subject: ss: fix crash with invalid command input file
X-Git-Tag: v4.15.0~67
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=507358183576b44a2f6c825b35441a9549d385c7;p=thirdparty%2Fiproute2.git

ss: fix crash with invalid command input file

If given an invalid input file with -F flag, ss would crash.
Examples of invalid input are line to long, or null file.

Found by fuzzing with ASAN.

Reported-by:Bug Basher <iamliketohack@gmail.com>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---

diff --git a/misc/ssfilter.y b/misc/ssfilter.y
index ba82b65f7..4db3c95fa 100644
--- a/misc/ssfilter.y
+++ b/misc/ssfilter.y
@@ -202,15 +202,23 @@ int yylex(void)
 				argc++;
 			} else if (yy_fp) {
 				while (tokptr == NULL) {
-					if (fgets(argbuf, sizeof(argbuf)-1, yy_fp) == NULL)
+					size_t len;
+
+					if (fgets(argbuf, sizeof(argbuf), yy_fp) == NULL)
 						return 0;
-					argbuf[sizeof(argbuf)-1] = 0;
-					if (strlen(argbuf) == sizeof(argbuf) - 1) {
-						fprintf(stderr, "Too long line in filter");
+
+					len = strnlen(argbuf, sizeof(argbuf));
+					if (len == 0) {
+						fprintf(stderr, "Invalid line\n");
+						exit(-1);
+					}
+
+					if (len >= sizeof(argbuf) - 1) {
+						fprintf(stderr, "Too long line in filter\n");
 						exit(-1);
 					}
-					if (argbuf[strlen(argbuf)-1] == '\n')
-						argbuf[strlen(argbuf)-1] = 0;
+					if (argbuf[len - 1] == '\n')
+						argbuf[len-1] = 0;
 					if (argbuf[0] == '#' || argbuf[0] == '0')
 						continue;
 					tokptr = argbuf;