commit 8e8c92c: [Fix] buffer overflow in rspamc counters
Anton Yuzhaninov
citrin+git at citrin.ru
Wed Sep 22 17:14:04 UTC 2021
Author: Anton Yuzhaninov
Date: 2021-09-21 10:00:17 +0100
URL: https://github.com/rspamd/rspamd/commit/8e8c92c0ca8c87a7dfb8921ae8aa72e6b767d97e
[Fix] buffer overflow in rspamc counters
If request to /counters returns no symbols then max_len would have
a negative value:
Results for command: counters (0.003 seconds)
=================================================================
==22096==ERROR: AddressSanitizer: negative-size-param: (size=-2147483604)
#0 0x33ff13 in __asan_memset (/usr/bin/rspamc+0x33ff13)
#1 0x383432 in rspamc_counters_output /usr/src/debug/rspamd/src/client/rspamc.c:1064:2
#2 0x388c49 in rspamc_client_cb /usr/src/debug/rspamd/src/client/rspamc.c:1600:6
...
---
src/client/rspamc.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/client/rspamc.c b/src/client/rspamc.c
index fb995288d..869a82b03 100644
--- a/src/client/rspamc.c
+++ b/src/client/rspamc.c
@@ -1035,7 +1035,8 @@ rspamc_counters_output (FILE *out, ucl_object_t *obj)
const ucl_object_t *cur, *sym, *weight, *freq, *freq_dev, *nhits;
ucl_object_iter_t iter = NULL;
gchar fmt_buf[64], dash_buf[82], sym_buf[82];
- gint l, max_len = INT_MIN, i;
+ gint l, i;
+ gint max_len = sizeof("Symbol") - 1;
static const gint dashes = 44;
if (obj->type != UCL_ARRAY) {
@@ -1054,11 +1055,12 @@ rspamc_counters_output (FILE *out, ucl_object_t *obj)
if (sym != NULL) {
l = sym->len;
if (l > max_len) {
- max_len = MIN (sizeof (dash_buf) - dashes - 1, l);
+ max_len = l;
}
}
}
+ max_len = MIN (sizeof (dash_buf) - dashes - 1, max_len);
rspamd_snprintf (fmt_buf, sizeof (fmt_buf),
"| %%3s | %%%ds | %%7s | %%13s | %%7s |\n", max_len);
memset (dash_buf, '-', dashes + max_len);
More information about the Commits
mailing list