Opened 4 years ago

#13590 new Bugs

Bug in executor::_read_error leads to bad string allocation exception

Reported by: Elmar Daegele <elmar.daegele@…> Owned by:
Milestone: To Be Determined Component: process
Version: Boost 1.65.0 Severity: Showstopper
Keywords: Cc:

Description

Method executor::_read_error contains various weaknesses which can lead to string allocation with excessive length, causing exceptions at string construction or out-of-memory issues.

The most severe issue caused by the fact that the method is not prepared for reading fragments from the pipe. As the pipe is not created with O_DIRECT, data can be fragmented. In fact, we observed that ::read returned just 4 bytes, although _write_error is writing 8 bytes. This leaves the second entry of the data[2] array uninitialized(!!), which is afterwards - without any check! - passed directly to the string creation:

std::string msg(data[1], ' '); --> crash as data[1] contains random value

Also the second part of the function, which reads the error message text, is not prepared for reading fragmented data.

Patched code that works well here can be found attached.

Attachments (1)

executor.hpp (16.1 KB ) - added by Elmar Daegele <elmar.daegele@…> 4 years ago.

Download all attachments as: .zip

Change History (1)

by Elmar Daegele <elmar.daegele@…>, 4 years ago

Attachment: executor.hpp added
Note: See TracTickets for help on using tickets.