dtrace: fix an out of bound read and a NULL pointer increment

In dt_cc.c when the provider is an empty string, accessing strlen(pdp->dtpd_provider) - 1 will result in a pdp->dtpd_provider[-1] access. Similarly, in dt_ident.c, if p2 is a NULL pointer, doing a p2++ on it is undefined behaviour. Reviewed by: markj MFC after: 1 week Sponsored by: Google Differential Revision: https://reviews.freebsd.org/D30778
2024-11-26 07:55:01 +00:00 · 2021-06-17 13:35:33 -04:00 · 2021-06-17 13:35:33 -04:00 · a877965fa3
commit a877965fa3
parent 0247c33e89
2 changed files with 8 additions and 2 deletions
--- a/cddl/contrib/opensolaris/lib/libdtrace/common/dt_cc.c
+++ b/cddl/contrib/opensolaris/lib/libdtrace/common/dt_cc.c
@ -1691,6 +1691,7 @@ dt_setcontext(dtrace_hdl_t *dtp, dtrace_probedesc_t *pdp)
 	dt_ident_t *idp;
 	char attrstr[8];
 	int err;
+	size_t prov_len;

 	/*
 	 * Both kernel and pid based providers are allowed to have names
@ -1704,7 +1705,10 @@ dt_setcontext(dtrace_hdl_t *dtp, dtrace_probedesc_t *pdp)
 	 * On an error, dt_pid_create_probes() will set the error message
 	 * and tag -- we just have to longjmp() out of here.
 	 */
-	if (isdigit(pdp->dtpd_provider[strlen(pdp->dtpd_provider) - 1]) &&
+
+	prov_len = strlen(pdp->dtpd_provider);
+
+	if ((prov_len > 0 && isdigit(pdp->dtpd_provider[prov_len - 1])) &&
 	    ((pvp = dt_provider_lookup(dtp, pdp->dtpd_provider)) == NULL ||
 	    pvp->pv_desc.dtvd_priv.dtpp_flags & DTRACE_PRIV_PROC) &&
 	    dt_pid_create_probes(pdp, dtp, yypcb) != 0) {
--- a/cddl/contrib/opensolaris/lib/libdtrace/common/dt_ident.c
+++ b/cddl/contrib/opensolaris/lib/libdtrace/common/dt_ident.c
@ -210,8 +210,10 @@ dt_idcook_func(dt_node_t *dnp, dt_ident_t *idp, int argc, dt_node_t *args)
 			}
 		}

-		for (p2 = strchr(p2, ','); p2++ != NULL; i++)
+		for (p2 = strchr(p2, ','); p2 != NULL; i++) {
+			p2++;
 			p2 = strchr(p2, ',');
+		}

 		/*
 		 * We first allocate a new ident signature structure with the