dtrace: fix an out of bound read and a NULL pointer increment
In dt_cc.c when the provider is an empty string, accessing strlen(pdp->dtpd_provider) - 1 will result in a pdp->dtpd_provider[-1] access. Similarly, in dt_ident.c, if p2 is a NULL pointer, doing a p2++ on it is undefined behaviour. Reviewed by: markj MFC after: 1 week Sponsored by: Google Differential Revision: https://reviews.freebsd.org/D30778
This commit is contained in:
parent
0247c33e89
commit
a877965fa3
@ -1691,6 +1691,7 @@ dt_setcontext(dtrace_hdl_t *dtp, dtrace_probedesc_t *pdp)
|
||||
dt_ident_t *idp;
|
||||
char attrstr[8];
|
||||
int err;
|
||||
size_t prov_len;
|
||||
|
||||
/*
|
||||
* Both kernel and pid based providers are allowed to have names
|
||||
@ -1704,7 +1705,10 @@ dt_setcontext(dtrace_hdl_t *dtp, dtrace_probedesc_t *pdp)
|
||||
* On an error, dt_pid_create_probes() will set the error message
|
||||
* and tag -- we just have to longjmp() out of here.
|
||||
*/
|
||||
if (isdigit(pdp->dtpd_provider[strlen(pdp->dtpd_provider) - 1]) &&
|
||||
|
||||
prov_len = strlen(pdp->dtpd_provider);
|
||||
|
||||
if ((prov_len > 0 && isdigit(pdp->dtpd_provider[prov_len - 1])) &&
|
||||
((pvp = dt_provider_lookup(dtp, pdp->dtpd_provider)) == NULL ||
|
||||
pvp->pv_desc.dtvd_priv.dtpp_flags & DTRACE_PRIV_PROC) &&
|
||||
dt_pid_create_probes(pdp, dtp, yypcb) != 0) {
|
||||
|
@ -210,8 +210,10 @@ dt_idcook_func(dt_node_t *dnp, dt_ident_t *idp, int argc, dt_node_t *args)
|
||||
}
|
||||
}
|
||||
|
||||
for (p2 = strchr(p2, ','); p2++ != NULL; i++)
|
||||
for (p2 = strchr(p2, ','); p2 != NULL; i++) {
|
||||
p2++;
|
||||
p2 = strchr(p2, ',');
|
||||
}
|
||||
|
||||
/*
|
||||
* We first allocate a new ident signature structure with the
|
||||
|
Loading…
x
Reference in New Issue
Block a user