bug-gnulib
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Out of bounds va_arg access in rpl_fcntl


From: Frank Busse
Subject: Out of bounds va_arg access in rpl_fcntl
Date: Wed, 5 Sep 2018 11:33:30 +0100

Hi,


this was found by using KLEE [1] on Coreutils 8.30 (shred, stty, sync,
tail, and probably also in dd (untested)). These tools call

fcntl (fd, F_GETFL)

F_GETFL is not handled in fcntl.c:rpl_fcntl and the default case tries
to access a non-existing argument:

--
    default:
      {
#if HAVE_FCNTL
        void *p = va_arg (arg, void *); <---
        result = fcntl (fd, action, p);
#else
        errno = EINVAL;
#endif
        break;
      }
    }
  va_end (arg);
  return result;
--


Kind regards,

Frank


[1] https://klee.github.io/



reply via email to

[Prev in Thread] Current Thread [Next in Thread]