[RTS] Harden against buffer overflow
authorBartosz Nitka <niteria@gmail.com>
Wed, 13 Sep 2017 12:28:00 +0000 (08:28 -0400)
committerBen Gamari <ben@smart-cactus.org>
Wed, 13 Sep 2017 14:40:02 +0000 (10:40 -0400)
This sprintf is safe thanks to the guarantees on the format strings that
we pass to it.  Well, almost. The GR_FILENAME_FMT_GUM format would not
have satisfied them if it was still used.

If someone makes a mistake that's a potential privilege escalation,
so I think it's reasonable to switch to snprintf to protect against
that remote possibility.

Test Plan: it builds, CI

Reviewers: simonmar, bgamari, austin, erikd

Reviewed By: bgamari

Subscribers: rwbarton, thomie

Differential Revision: https://phabricator.haskell.org/D3944

includes/rts/Flags.h
rts/RtsFlags.c

index 6700f9d..6040201 100644 (file)
@@ -263,7 +263,6 @@ extern RTS_FLAGS RtsFlags;
 #define STATS_FILENAME_MAXLEN  128
 
 #define GR_FILENAME_FMT                "%0.124s.gr"
-#define GR_FILENAME_FMT_GUM    "%0.120s.%03d.%s"
 #define HP_FILENAME_FMT                "%0.124s.hp"
 #define LIFE_FILENAME_FMT      "%0.122s.life"
 #define PROF_FILENAME_FMT      "%0.122s.prof"
index 06d59f0..ec21ef1 100644 (file)
@@ -1636,7 +1636,8 @@ openStatsFile (char *filename,           // filename, or NULL
             }
             /* default <program>.<ext> */
             char stats_filename[STATS_FILENAME_MAXLEN];
-            sprintf(stats_filename, filename_fmt, prog_name);
+            snprintf(stats_filename, STATS_FILENAME_MAXLEN, filename_fmt,
+                prog_name);
             f = fopen(stats_filename,"w");
         }
         if (f == NULL) {