Subject: [Boost-bugs] [Boost C++ Libraries] #13590: Bug in executor::_read_error leads to bad string allocation exception
From: Boost C++ Libraries (noreply_at_[hidden])
Date: 2018-06-11 09:15:19
#13590: Bug in executor::_read_error leads to bad string allocation exception
---------------------------------------------+-------------------------
Reporter: Elmar Daegele <elmar.daegele@…> | Owner: (none)
Type: Bugs | Status: new
Milestone: To Be Determined | Component: process
Version: Boost 1.65.0 | Severity: Showstopper
Keywords: |
---------------------------------------------+-------------------------
Method executor::_read_error contains various weaknesses which can lead to
string allocation with excessive length, causing exceptions at string
construction or out-of-memory issues.
The most severe issue caused by the fact that the method is not prepared
for reading fragments from the pipe. As the pipe is not created with
O_DIRECT, data can be fragmented. In fact, we observed that ::read
returned just 4 bytes, although _write_error is writing 8 bytes. This
leaves the second entry of the data[2] array uninitialized(!!), which is
afterwards - without any check! - passed directly to the string creation:
std::string msg(data[1], ' '); --> crash as data[1] contains random value
Also the second part of the function, which reads the error message text,
is not prepared for reading fragmented data.
Patched code that works well here can be found attached.
-- Ticket URL: <https://svn.boost.org/trac10/ticket/13590> Boost C++ Libraries <http://www.boost.org/> Boost provides free peer-reviewed portable C++ source libraries.
This archive was generated by hypermail 2.1.7 : 2018-06-11 09:19:30 UTC