FORTIFY_SOURCE: fortify strchr

Detect when strchr reads off the end of a buffer.

Change-Id: I0e952eedcff5c36d646a9c3bc4e1337b959224f2
This commit is contained in:
Nick Kralevich 2012-11-30 15:15:58 -08:00
parent 16c61f0885
commit 049e58369c
3 changed files with 31 additions and 2 deletions

View File

@ -224,6 +224,23 @@ size_t strlen(const char *s) {
return __strlen_chk(s, bos);
}
__purefunc extern char* __strchr_real(const char *, int)
__asm__(__USER_LABEL_PREFIX__ "strchr");
extern char* __strchr_chk(const char *, int, size_t);
__BIONIC_FORTIFY_INLINE
char* strchr(const char *s, int c) {
size_t bos = __builtin_object_size(s, 0);
// Compiler doesn't know destination size. Don't call __strchr_chk
if (bos == __BIONIC_FORTIFY_UNKNOWN_SIZE) {
return __strchr_real(s, c);
}
return __strchr_chk(s, c, bos);
}
#endif /* defined(__BIONIC_FORTIFY_INLINE) */
__END_DECLS

View File

@ -29,6 +29,7 @@
#define _ANDROID_BIONIC_LOGD_H
#include <stdarg.h>
#include <stdint.h>
#define BIONIC_EVENT_MEMCPY_BUFFER_OVERFLOW 80100
#define BIONIC_EVENT_STRCAT_BUFFER_OVERFLOW 80105

View File

@ -29,11 +29,17 @@
*/
#include <string.h>
#include <private/logd.h>
char *
strchr(const char *p, int ch)
__strchr_chk(const char *p, int ch, size_t s_len)
{
for (;; ++p) {
for (;; ++p, s_len--) {
if (s_len == 0) {
__libc_android_log_print(ANDROID_LOG_FATAL, "libc",
"*** FORTIFY_SOURCE strchr read beyond buffer ***\n");
abort();
}
if (*p == (char) ch)
return((char *)p);
if (!*p)
@ -41,3 +47,8 @@ strchr(const char *p, int ch)
}
/* NOTREACHED */
}
char *
strchr(const char *p, int ch) {
return __strchr_chk(p, ch, (size_t) -1);
}