From: Jérémie Galarneau Date: Thu, 19 Sep 2019 18:24:34 +0000 (-0400) Subject: Fix: lttng: out-of-bound copy of arguments in 'view' command handler X-Git-Tag: v2.9.13~1 X-Git-Url: https://git.lttng.org./?a=commitdiff_plain;h=043d3d2b2b7a6fa936ce91e8cb1693308baf2ed3;p=lttng-tools.git Fix: lttng: out-of-bound copy of arguments in 'view' command handler The 'size' operand of memcpy() does not indicate the length of the opts array; it is the size of the resulting array once the opts array is concatenated with the options being added in this function. This results in out-of-bound read(s) in the opts array. Use 'sizeof(char *) * opts_len' as the length to copy at the beginning of the resulting array. Signed-off-by: Jérémie Galarneau --- diff --git a/src/bin/lttng/commands/view.c b/src/bin/lttng/commands/view.c index bf9b1bef8..65259dba8 100644 --- a/src/bin/lttng/commands/view.c +++ b/src/bin/lttng/commands/view.c @@ -182,7 +182,7 @@ static char **alloc_argv_from_local_opts(const char **opts, size_t opts_len, goto error; } - memcpy(argv, opts, size); + memcpy(argv, opts, sizeof(char *) * opts_len); if (session_live_mode) { argv[opts_len] = "-i";