From e20ca0249f0a7b3b8e2d8f50437e63ea17b8f6e9 Mon Sep 17 00:00:00 2001 From: =?utf8?q?J=C3=A9r=C3=A9mie=20Galarneau?= Date: Thu, 19 Sep 2019 14:24:34 -0400 Subject: [PATCH] Fix: lttng: out-of-bound copy of arguments in 'view' command handler MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit The 'size' operand of memcpy() does not indicate the length of the opts array; it is the size of the resulting array once the opts array is concatenated with the options being added in this function. This results in out-of-bound read(s) in the opts array. Use 'sizeof(char *) * opts_len' as the length to copy at the beginning of the resulting array. Signed-off-by: Jérémie Galarneau --- src/bin/lttng/commands/view.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/bin/lttng/commands/view.c b/src/bin/lttng/commands/view.c index 0325e505c..8e63a8997 100644 --- a/src/bin/lttng/commands/view.c +++ b/src/bin/lttng/commands/view.c @@ -188,7 +188,7 @@ static char **alloc_argv_from_local_opts(const char **opts, size_t opts_len, goto error; } - memcpy(argv, opts, size); + memcpy(argv, opts, sizeof(char *) * opts_len); if (session_live_mode) { argv[opts_len] = "-i"; -- 2.34.1