glibc/misc/tst-syslog-long-progname.c
Arjun Shankar 23514c72b7 syslog: Fix heap buffer overflow in __vsyslog_internal (CVE-2023-6246)
__vsyslog_internal did not handle a case where printing a SYSLOG_HEADER
containing a long program name failed to update the required buffer
size, leading to the allocation and overflow of a too-small buffer on
the heap.  This commit fixes that.  It also adds a new regression test
that uses glibc.malloc.check.

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Tested-by: Carlos O'Donell <carlos@redhat.com>
(cherry picked from commit 6bd0e4efcc)
2024-01-30 15:55:43 +01:00

40 lines
1.2 KiB
C

/* Test heap buffer overflow in syslog with long __progname (CVE-2023-6246)
Copyright (C) 2023 Free Software Foundation, Inc.
This file is part of the GNU C Library.
The GNU C Library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either
version 2.1 of the License, or (at your option) any later version.
The GNU C Library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public
License along with the GNU C Library; if not, see
<https://www.gnu.org/licenses/>. */
#include <syslog.h>
#include <string.h>
extern char * __progname;
static int
do_test (void)
{
char long_progname[2048];
memset (long_progname, 'X', sizeof (long_progname) - 1);
long_progname[sizeof (long_progname) - 1] = '\0';
__progname = long_progname;
syslog (LOG_INFO, "Hello, World!");
return 0;
}
#include <support/test-driver.c>