[DTrace-devel] [PATCH] Fix invalid memory access when looking for pid provider
Kris Van Hees
kris.van.hees at oracle.com
Wed Apr 8 08:00:27 PDT 2020
The code to determine whether a provider name is a pid provider checks
whether the last character of the provider name is a digit. This worked
fine when the probe description name components were fixed size character
arrays, but with the change to using allocated trings, this can result in
reading a bytye *before* the allocated string if the string is an empty
string because we look at pdp->prv[strlen(pdp->prv) - 1) which would be
pdp->prv[0 - 1], and therefore we access pdp->prv[-1].
Signed-off-by: Kris Van Hees <kris.van.hees at oracle.com>
---
libdtrace/dt_cc.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/libdtrace/dt_cc.c b/libdtrace/dt_cc.c
index fe7082e8..db009461 100644
--- a/libdtrace/dt_cc.c
+++ b/libdtrace/dt_cc.c
@@ -1679,7 +1679,8 @@ dt_setcontext(dtrace_hdl_t *dtp, dtrace_probedesc_t *pdp)
* On an error, dt_pid_create_probes() will set the error message
* and tag -- we just have to longjmp() out of here.
*/
- if (isdigit(pdp->prv[strlen(pdp->prv) - 1]) &&
+ if (pdp->prv && pdp->prv[0] &&
+ isdigit(pdp->prv[strlen(pdp->prv) - 1]) &&
((pvp = dt_provider_lookup(dtp, pdp->prv)) == NULL ||
pvp->desc.dtvd_priv.dtpp_flags & DTRACE_PRIV_PROC) &&
dt_pid_create_probes(pdp, dtp, yypcb) != 0) {
--
2.26.0
More information about the DTrace-devel
mailing list