Fix: lttng: out-of-bound copy of arguments in 'view' command handler
authorJérémie Galarneau <jeremie.galarneau@efficios.com>
Thu, 19 Sep 2019 18:24:34 +0000 (14:24 -0400)
committerJérémie Galarneau <jeremie.galarneau@efficios.com>
Thu, 26 Sep 2019 19:55:59 +0000 (15:55 -0400)
The 'size' operand of memcpy() does not indicate the length of the
opts array; it is the size of the resulting array once the opts array
is concatenated with the options being added in this function. This
results in out-of-bound read(s) in the opts array.

Use 'sizeof(char *) * opts_len' as the length to copy at the beginning
of the resulting array.

Signed-off-by: Jérémie Galarneau <jeremie.galarneau@efficios.com>
src/bin/lttng/commands/view.c

index bf9b1bef8b1bd8bf1ce130bdb2596e66f92625a1..65259dba86c2afb7b54f606fb00fb2d3e30df27c 100644 (file)
@@ -182,7 +182,7 @@ static char **alloc_argv_from_local_opts(const char **opts, size_t opts_len,
                goto error;
        }
 
-       memcpy(argv, opts, size);
+       memcpy(argv, opts, sizeof(char *) * opts_len);
 
        if (session_live_mode) {
                argv[opts_len] = "-i";
This page took 0.027397 seconds and 4 git commands to generate.