From 76656afc6dd069fcfda5768e6e54bb85e4e99942 Mon Sep 17 00:00:00 2001 From: Nick Kralevich Date: Thu, 7 Jun 2012 16:30:02 -0700 Subject: [PATCH] _FORTIFY_SOURCE: check for integer overflows Ensure that strcat / strncat check for integer overflows when computing the length of the resulting string. Change-Id: Ib806ad33a0d3b50876f384bc17787a28f0dddc37 --- libc/Android.mk | 3 ++- libc/string/__strcat_chk.c | 7 ++++++- libc/string/__strncat_chk.c | 7 ++++++- 3 files changed, 14 insertions(+), 3 deletions(-) diff --git a/libc/Android.mk b/libc/Android.mk index 70a52439f..f2784fd5a 100644 --- a/libc/Android.mk +++ b/libc/Android.mk @@ -537,7 +537,8 @@ endif libc_common_c_includes := \ $(LOCAL_PATH)/stdlib \ $(LOCAL_PATH)/string \ - $(LOCAL_PATH)/stdio + $(LOCAL_PATH)/stdio \ + external/safe-iop/include # Needed to access private/__dso_handle.h from # crtbegin_xxx.S and crtend_xxx.S diff --git a/libc/string/__strcat_chk.c b/libc/string/__strcat_chk.c index 3e02052b8..7d8c89fd7 100644 --- a/libc/string/__strcat_chk.c +++ b/libc/string/__strcat_chk.c @@ -29,6 +29,7 @@ #include #include #include +#include /* * Runtime implementation of __builtin____strcat_chk. @@ -46,8 +47,12 @@ char *__strcat_chk (char *dest, const char *src, size_t dest_buf_size) // TODO: optimize so we don't scan src/dest twice. size_t src_len = strlen(src); size_t dest_len = strlen(dest); + size_t sum; - if (src_len + dest_len + 1 > dest_buf_size) { + // sum = src_len + dest_len + 1 (with overflow protection) + if (!safe_add3(&sum, src_len, dest_len, 1U)) abort(); + + if (sum > dest_buf_size) { __libc_android_log_print(ANDROID_LOG_FATAL, "libc", "*** strcat buffer overflow detected ***\n"); abort(); diff --git a/libc/string/__strncat_chk.c b/libc/string/__strncat_chk.c index 9b0b84a08..038762693 100644 --- a/libc/string/__strncat_chk.c +++ b/libc/string/__strncat_chk.c @@ -29,6 +29,7 @@ #include #include #include +#include /* * Runtime implementation of __builtin____strncat_chk. @@ -51,7 +52,11 @@ char *__strncat_chk (char *dest, const char *src, src_len = len; } - if (dest_len + src_len + 1 > dest_buf_size) { + size_t sum; + // sum = src_len + dest_len + 1 (with overflow protection) + if (!safe_add3(&sum, src_len, dest_len, 1U)) abort(); + + if (sum > dest_buf_size) { __libc_android_log_print(ANDROID_LOG_FATAL, "libc", "*** strncat buffer overflow detected ***\n"); abort();