Closed
Bug 1309133
Opened 8 years ago
Closed 8 years ago
[Static Analysis][Buffer not null terminated] In function SandboxBroker::ThreadMain
Categories
(Core :: Security: Process Sandboxing, defect)
Core
Security: Process Sandboxing
Tracking
()
RESOLVED
FIXED
mozilla52
| Tracking | Status | |
|---|---|---|
| firefox52 | --- | fixed |
People
(Reporter: andi, Assigned: andi)
References
(Blocks 1 open bug)
Details
(Keywords: coverity, Whiteboard: CID 1373569)
Attachments
(1 file, 1 obsolete file)
The Static Analysis tool Coverity detected that a buffer not null terminated occurs in this following context:
>>strncpy(pathBuf2, recvBuf + first_len + 1, kMaxPathLen + 1);
This can happen since the size of of |pathBuf2| is kMaxPathLen + 1 so the 3rd argument of strncpy might be kMaxPathLen
| Comment hidden (mozreview-request) |
|
||
Comment 2•8 years ago
|
||
If you read the comment right above that line, that is 100% intentional:
// We do not assume the second path is 0-terminated, this is
// enforced below.
strncpy(pathBuf2, recvBuf + first_len + 1, kMaxPathLen + 1);
The bug is:
// Force 0 termination.
pathBuf[pathLen2] = '\0';
Which should've been pathBuf2[...]|
|
||
Comment 3•8 years ago
|
||
| mozreview-review | ||
Comment on attachment 8799634 [details] Bug 1309133 - null terminate pathBuf2 in SandboxBroker::ThreadMain. https://reviewboard.mozilla.org/r/84782/#review83418
Attachment #8799634 -
Flags: review?(gpascutto) → review-
| Comment hidden (mozreview-request) |
| Comment hidden (mozreview-request) |
|
|
||
Comment 6•8 years ago
|
||
| mozreview-review | ||
Comment on attachment 8799634 [details] Bug 1309133 - null terminate pathBuf2 in SandboxBroker::ThreadMain. https://reviewboard.mozilla.org/r/84782/#review83424
Attachment #8799634 -
Flags: review?(gpascutto) → review+
|
|
||
Updated•8 years ago
|
Attachment #8799723 -
Attachment is obsolete: true
Attachment #8799723 -
Flags: review?(jld)
Pushed by bpostelnicu@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/ed40af32ba48 null terminate pathBuf2 in SandboxBroker::ThreadMain. r=gcp
|
|
||
Comment 8•8 years ago
|
||
| mozreview-review | ||
Comment on attachment 8799723 [details] Bug 1309133 - Ensure termination of the correct buffer. https://reviewboard.mozilla.org/r/84862/#review83426
|
|
||
Updated•8 years ago
|
Attachment #8799723 -
Attachment is obsolete: false
|
|
||
Updated•8 years ago
|
Attachment #8799723 -
Attachment is obsolete: true
|
||
Comment 9•8 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/ed40af32ba48
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
You need to log in
before you can comment on or make changes to this bug.
Description
•