[PATCH] services: Avoid buffer overruns in test_runner and START_TEST.

Gerald Pfeifer gerald at pfeifer.com
Sun Nov 22 18:54:14 CST 2020 

I never got a response to my patch below (and, yes, I checked the
list archives).

More than two years later the following, essentially identical, 
patch by Rémi was applied:

  commit bcbe1d120cf6f68dd6a888b488050b3db33d1e5c
  Author: Rémi Bernon <rbernon at codeweavers.com>
  Date:   Tue Feb 11 19:09:33 2020 +0100

    services/tests: Fix some format-overflow warnings.
    
    Signed-off-by: Rémi Bernon <rbernon at codeweavers.com>
    Signed-off-by: Alexandre Julliard <julliard at winehq.org>

Hmm...

Gerald

On Mon, 25 Dec 2017, Gerald Pfeifer wrote:

> A few days ago my GCC-based builder started picking this up, and
> looking into the code there is potential for an actual buffer overrun, 
> since service_name is included into named_pipe_name together with some
> constants, and both originally were the same size.
> 
> This fixes it by increasing the size of the second buffer which also
> addresses the following warnings issued by GCC:
> 
> service.c: In function ‘test_runner’:
> service.c:541:46: warning: ‘_pipe’ directive writing 5 bytes into a region 
> of size between 1 and 100 [-Wformat-overflow=]
>      sprintf(named_pipe_name, "\\\\.\\pipe\\%s_pipe", service_name);
>                                               ^~~~~
> service.c:541:5: note: ‘sprintf’ output between 15 and 114 bytes into a 
> destination of size ...
>      sprintf(named_pipe_name, "\\\\.\\pipe\\%s_pipe", service_name);
>      ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> 
> service.c: In function ‘func_service’:
> service.c:593:50: warning: ‘_pipe’ directive writing 5 bytes into a region 
> of size between 1 and 100 [-Wformat-overflow=]
>          sprintf(named_pipe_name, "\\\\.\\pipe\\%s_pipe", service_name);
>                                                   ^~~~~
> service.c:593:9: note: ‘sprintf’ output between 15 and 114 bytes into a 
> destination of size ...
>          sprintf(named_pipe_name, "\\\\.\\pipe\\%s_pipe", service_name);
>          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> Gerald
> 
> Signed-off-by: Gerald Pfeifer <gerald at pfeifer.com>
> ---
>  programs/services/tests/service.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/programs/services/tests/service.c b/programs/services/tests/service.c
> index 98419497a5..47adb1a397 100644
> --- a/programs/services/tests/service.c
> +++ b/programs/services/tests/service.c
> @@ -29,7 +29,8 @@
>  static SERVICE_STATUS_HANDLE (WINAPI *pRegisterServiceCtrlHandlerExA)(LPCSTR,LPHANDLER_FUNCTION_EX,LPVOID);
>  
>  static HANDLE pipe_handle = INVALID_HANDLE_VALUE;
> -static char service_name[100], named_pipe_name[100];
> +static char service_name[100],
> +            named_pipe_name[114]; /* will include service_name later on */
>  static SERVICE_STATUS_HANDLE service_handle;
>  
>  /* Service process global variables */
>

More information about the wine-devel mailing list