Closed
Bug 1309133
Opened 8 years ago
Closed 8 years ago
[Static Analysis][Buffer not null terminated] In function SandboxBroker::ThreadMain
Categories
(Core :: Security: Process Sandboxing, defect)
Core
Security: Process Sandboxing
Tracking
()
RESOLVED
FIXED
mozilla52
Tracking | Status | |
---|---|---|
firefox52 | --- | fixed |
People
(Reporter: andi, Assigned: andi)
References
(Blocks 1 open bug)
Details
(Keywords: coverity, Whiteboard: CID 1373569)
Attachments
(1 file, 1 obsolete file)
The Static Analysis tool Coverity detected that a buffer not null terminated occurs in this following context:
>>strncpy(pathBuf2, recvBuf + first_len + 1, kMaxPathLen + 1);
This can happen since the size of of |pathBuf2| is kMaxPathLen + 1 so the 3rd argument of strncpy might be kMaxPathLen
Comment hidden (mozreview-request) |
Comment 2•8 years ago
|
||
If you read the comment right above that line, that is 100% intentional: // We do not assume the second path is 0-terminated, this is // enforced below. strncpy(pathBuf2, recvBuf + first_len + 1, kMaxPathLen + 1); The bug is: // Force 0 termination. pathBuf[pathLen2] = '\0'; Which should've been pathBuf2[...]
Comment 3•8 years ago
|
||
mozreview-review |
Comment on attachment 8799634 [details] Bug 1309133 - null terminate pathBuf2 in SandboxBroker::ThreadMain. https://reviewboard.mozilla.org/r/84782/#review83418
Attachment #8799634 -
Flags: review?(gpascutto) → review-
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment 6•8 years ago
|
||
mozreview-review |
Comment on attachment 8799634 [details] Bug 1309133 - null terminate pathBuf2 in SandboxBroker::ThreadMain. https://reviewboard.mozilla.org/r/84782/#review83424
Attachment #8799634 -
Flags: review?(gpascutto) → review+
Updated•8 years ago
|
Attachment #8799723 -
Attachment is obsolete: true
Attachment #8799723 -
Flags: review?(jld)
Pushed by bpostelnicu@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/ed40af32ba48 null terminate pathBuf2 in SandboxBroker::ThreadMain. r=gcp
Comment 8•8 years ago
|
||
mozreview-review |
Comment on attachment 8799723 [details] Bug 1309133 - Ensure termination of the correct buffer. https://reviewboard.mozilla.org/r/84862/#review83426
Updated•8 years ago
|
Attachment #8799723 -
Attachment is obsolete: false
Updated•8 years ago
|
Attachment #8799723 -
Attachment is obsolete: true
Comment 9•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/ed40af32ba48
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
You need to log in
before you can comment on or make changes to this bug.
Description
•