Opened 4 years ago
#13590 new Bugs
Bug in executor::_read_error leads to bad string allocation exception
Reported by: | Owned by: | ||
---|---|---|---|
Milestone: | To Be Determined | Component: | process |
Version: | Boost 1.65.0 | Severity: | Showstopper |
Keywords: | Cc: |
Description
Method executor::_read_error contains various weaknesses which can lead to string allocation with excessive length, causing exceptions at string construction or out-of-memory issues.
The most severe issue caused by the fact that the method is not prepared for reading fragments from the pipe. As the pipe is not created with O_DIRECT, data can be fragmented. In fact, we observed that ::read returned just 4 bytes, although _write_error is writing 8 bytes. This leaves the second entry of the data[2] array uninitialized(!!), which is afterwards - without any check! - passed directly to the string creation:
std::string msg(data[1], ' '); --> crash as data[1] contains random value
Also the second part of the function, which reads the error message text, is not prepared for reading fragmented data.
Patched code that works well here can be found attached.