]> git.ipfire.org Git - thirdparty/systemd.git/commitdiff
projects / thirdparty / systemd.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: db3b8d5)
journal: fix buffer overrun when urlifying
authorZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Tue, 23 Jun 2020 18:51:13 +0000 (20:51 +0200)
committerZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Thu, 25 Jun 2020 06:51:21 +0000 (08:51 +0200)
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=21122.

message is only valid until message_len, and we need to make sure we're not
reading pass that. Bug introduced in 2108b56749ebb8d17f06d08b6ada2f79ae4f0.

src/shared/logs-show.c patch | blob | blame | history
test/fuzz/fuzz-journal-remote/oss-fuzz-21122 [new file with mode: 0644] patch | blob

diff --git a/src/shared/logs-show.c b/src/shared/logs-show.c
index 570377dc7692b2d21cefef17c154fef66b5c3bbc..fee6ccdf2a1e3f7040b4dd7dbe4ca8ae9f8a7718 100644 (file)
--- a/src/shared/logs-show.c
+++ b/src/shared/logs-show.c
@@ -573,19 +573,22 @@ static int output_short(
                 if (config_file &&
                     message_len >= config_file_len &&
                     memcmp(message, config_file, config_file_len) == 0 &&
-                    IN_SET(message[config_file_len], ':', ' ', '\0') &&
+                    (message_len == config_file_len || IN_SET(message[config_file_len], ':', ' ')) &&
                     (!highlight || highlight_shifted[0] == 0 || highlight_shifted[0] > config_file_len)) {
 
                         _cleanup_free_ char *t = NULL, *urlified = NULL;
 
                         t = strndup(config_file, config_file_len);
                         if (t && terminal_urlify_path(t, NULL, &urlified) >= 0) {
-                                size_t shift = strlen(urlified) - config_file_len;
+                                size_t urlified_len = strlen(urlified);
+                                size_t shift = urlified_len - config_file_len;
                                 char *joined;
 
-                                joined = strjoin(urlified, message + config_file_len);
+                                joined = realloc(urlified, message_len + shift);
                                 if (joined) {
+                                        memcpy(joined + urlified_len, message + config_file_len, message_len - config_file_len);
                                         free_and_replace(message, joined);
+                                        TAKE_PTR(urlified);
                                         message_len += shift;
                                         if (highlight) {
                                                 highlight_shifted[0] += shift;
diff --git a/test/fuzz/fuzz-journal-remote/oss-fuzz-21122 b/test/fuzz/fuzz-journal-remote/oss-fuzz-21122
new file mode 100644 (file)
index 0000000..e0e05e1
Binary files /dev/null and b/test/fuzz/fuzz-journal-remote/oss-fuzz-21122 differ
Unnamed repository; edit this file 'description' to name the repository.