proc_parse: check that scanf fill the offset var

CID 1168165 (#2 of 2): Untrusted array index read (TAINTED_SCALAR) 40. tainted_data: Using tainted variable "hoff" as an index into an array "str" $ man 3 scanf n Nothing is expected; instead, the number of characters consumed thus far from the input is stored through the next pointer, which must be a pointer to int. This is not a conversion, although it can be suppressed with the * assignment-suppression character. The C standard says: "Execution of a %n directive does not increment the assignment count returned at the comple‐ tion of execution" but the Corrigendum seems to contradict this. Probably it is wise not to make any assumptions on the effect of %n conversions on the return value. So it isn't not enough to check a return code from scanf(). Cc: Cyrill Gorcunov <gorcunov@openvz.org> Signed-off-by: Andrey Vagin <avagin@openvz.org> Acked-by: Cyrill Gorcunov <gorcunov@openvz.org> Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
2025-08-30 22:05:36 +00:00 · 2014-08-06 18:03:00 +04:00
parent e601a2ea5d
commit a48e52b58c
1 changed files with 2 additions and 2 deletions
--- a/proc_parse.c
+++ b/proc_parse.c
@@ -1213,7 +1213,7 @@ static int parse_fdinfo_pid_s(char *pid, int fd, int type,
 		if (fdinfo_field(str, "fanotify ino")) {
 			FanotifyInodeMarkEntry ie = FANOTIFY_INODE_MARK_ENTRY__INIT;
 			FhEntry f_handle = FH_ENTRY__INIT;
-			int hoff;
+			int hoff = 0;

 			if (type != FD_TYPES__FANOTIFY)
 				goto parse_err;
@@ -1229,7 +1229,7 @@ static int parse_fdinfo_pid_s(char *pid, int fd, int type,
 				     &entry.ffy.mflags, &entry.ffy.mask, &entry.ffy.ignored_mask,
 				     &f_handle.bytes, &f_handle.type,
 				     &hoff);
-			if (ret != 7)
+			if (ret != 7 || hoff == 0)
 				goto parse_err;

 			if (alloc_fhandle(&f_handle)) {