diff options
| author | Frantisek Sumsal <frantisek@sumsal.cz> | 2023-05-24 13:29:52 +0200 |
|---|---|---|
| committer | Frantisek Sumsal <frantisek@sumsal.cz> | 2023-05-24 21:59:10 +0200 |
| commit | f392dfb5a1286184189233a84f6d6871bd4f7ade (patch) | |
| tree | 5ff4a2348b7157f6049544f7c30c2899e8652352 /src/coredump/coredump.c | |
| parent | sd-journal: propagate errors from ordered_hashmap_*() (diff) | |
| download | systemd-f392dfb5a1286184189233a84f6d6871bd4f7ade.tar.xz systemd-f392dfb5a1286184189233a84f6d6871bd4f7ade.zip | |
tree-wide: check memstream buffer after closing the handle
When closing the FILE handle attached to a memstream, it may attempt to
do a realloc() that may fail during OOM situations, in which case we are
left with the buffer pointer pointing to NULL and buffer size > 0. For
example:
```
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
void *realloc(void *ptr, size_t size) {
return NULL;
}
int main(int argc, char *argv[])
{
FILE *f;
char *buf;
size_t sz = 0;
f = open_memstream(&buf, &sz);
if (!f)
return -ENOMEM;
fputs("Hello", f);
fflush(f);
printf("buf: 0x%lx, sz: %lu, errno: %d\n",
(unsigned long) buf, sz, errno);
fclose(f);
printf("buf: 0x%lx, sz: %lu, errno: %d\n",
(unsigned long) buf, sz, errno);
return 0;
}
```
```
$ gcc -o main main.c
$ ./main
buf: 0x74d4a0, sz: 5, errno: 0
buf: 0x0, sz: 5, errno: 0
```
This might do unexpected things if the underlying code expects a valid
pointer to the memstream buffer after closing the handle.
Found by Nallocfuzz.
Diffstat (limited to 'src/coredump/coredump.c')
| -rw-r--r-- | src/coredump/coredump.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/src/coredump/coredump.c b/src/coredump/coredump.c index 5fdcfa7437..a6b0d96488 100644 --- a/src/coredump/coredump.c +++ b/src/coredump/coredump.c @@ -707,6 +707,9 @@ static int compose_open_fds(pid_t pid, char **open_fds) { if (errno > 0) return -errno; + if (!buffer) + return -ENOMEM; + *open_fds = TAKE_PTR(buffer); return 0; |