commit 8e8c92c: [Fix] buffer overflow in rspamc counters

Anton Yuzhaninov citrin+git at citrin.ru
Wed Sep 22 17:14:04 UTC 2021


Author: Anton Yuzhaninov
Date: 2021-09-21 10:00:17 +0100
URL: https://github.com/rspamd/rspamd/commit/8e8c92c0ca8c87a7dfb8921ae8aa72e6b767d97e

[Fix] buffer overflow in rspamc counters
If request to /counters returns no symbols then max_len would have
a negative value:

Results for command: counters (0.003 seconds)
=================================================================
==22096==ERROR: AddressSanitizer: negative-size-param: (size=-2147483604)
    #0 0x33ff13 in __asan_memset (/usr/bin/rspamc+0x33ff13)
    #1 0x383432 in rspamc_counters_output /usr/src/debug/rspamd/src/client/rspamc.c:1064:2
    #2 0x388c49 in rspamc_client_cb /usr/src/debug/rspamd/src/client/rspamc.c:1600:6
    ...

---
 src/client/rspamc.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/client/rspamc.c b/src/client/rspamc.c
index fb995288d..869a82b03 100644
--- a/src/client/rspamc.c
+++ b/src/client/rspamc.c
@@ -1035,7 +1035,8 @@ rspamc_counters_output (FILE *out, ucl_object_t *obj)
 	const ucl_object_t *cur, *sym, *weight, *freq, *freq_dev, *nhits;
 	ucl_object_iter_t iter = NULL;
 	gchar fmt_buf[64], dash_buf[82], sym_buf[82];
-	gint l, max_len = INT_MIN, i;
+	gint l, i;
+	gint max_len = sizeof("Symbol") - 1;
 	static const gint dashes = 44;
 
 	if (obj->type != UCL_ARRAY) {
@@ -1054,11 +1055,12 @@ rspamc_counters_output (FILE *out, ucl_object_t *obj)
 		if (sym != NULL) {
 			l = sym->len;
 			if (l > max_len) {
-				max_len = MIN (sizeof (dash_buf) - dashes - 1, l);
+				max_len = l;
 			}
 		}
 	}
 
+	max_len = MIN (sizeof (dash_buf) - dashes - 1, max_len);
 	rspamd_snprintf (fmt_buf, sizeof (fmt_buf),
 		"| %%3s | %%%ds | %%7s | %%13s | %%7s |\n", max_len);
 	memset (dash_buf, '-', dashes + max_len);


More information about the Commits mailing list