From: Zbigniew Jędrzejewski-Szmek Date: Sun, 20 May 2018 20:06:23 +0000 (+0200) Subject: shared/logs-show: fix mixup between length-based memory duplication and string operations X-Git-Tag: v239~172^2~12 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=324d6aa92629d4368b517f5c4d17a103c69098be;p=thirdparty%2Fsystemd.git shared/logs-show: fix mixup between length-based memory duplication and string operations We'd look for a '=' separator using memchr, i.e. ignoring any nul bytes in the string, but then do a strndup, which would terminate on any nul byte, and then again do a memcmp, which would access memory past the chunk allocated by strndup. Of course, we probably shouldn't allow keys with nul bytes in them. But we currently do, so there might be journal files like that out there. So let's fix the journal-reading code first. --- diff --git a/src/shared/logs-show.c b/src/shared/logs-show.c index 50326fde5da..124fa838b3c 100644 --- a/src/shared/logs-show.c +++ b/src/shared/logs-show.c @@ -839,7 +839,7 @@ static int output_json( if (!eq) continue; - n = strndup(data, eq - (const char*) data); + n = memdup_suffix0(data, eq - (const char*) data); if (!n) { r = log_oom(); goto finish; @@ -891,7 +891,7 @@ static int output_json( m = eq - (const char*) data; - n = strndup(data, m); + n = memdup_suffix0(data, m); if (!n) { r = log_oom(); goto finish; diff --git a/test/fuzz-regressions/fuzz-journal-remote/crash-96dee870ea66d03e89ac321eee28ea63a9b9aa45 b/test/fuzz-regressions/fuzz-journal-remote/crash-96dee870ea66d03e89ac321eee28ea63a9b9aa45 new file mode 100644 index 00000000000..535d49ea7a0 Binary files /dev/null and b/test/fuzz-regressions/fuzz-journal-remote/crash-96dee870ea66d03e89ac321eee28ea63a9b9aa45 differ