Debian bug report logs - #1337
Improper use of sscanf in procps

Message received at debian-bugs:

From i17linuxb.ists.pwr.wroc.pl!marekm Thu Oct 19 13:36:19 1995
Return-Path: <marekm@i17linuxb.ists.pwr.wroc.pl>
Received: from pixar.com by mongo.pixar.com with smtp
	(Smail3.1.28.1 #15) id m0t61hK-0004AEC; Thu, 19 Oct 95 13:36 PDT
Received: from i17linuxb.ists.pwr.wroc.pl by pixar.com with SMTP id AA18584
  (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Thu, 19 Oct 1995 13:35:49 -0700
Received: (from marekm@localhost) by i17linuxb.ists.pwr.wroc.pl (8.6.12/8.6.9) id VAA19249; Thu, 19 Oct 1995 21:36:03 +0100
From: Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl>
Message-Id: <199510192036.VAA19249@i17linuxb.ists.pwr.wroc.pl>
Subject: Re: Bug#1337: Improper use of sscanf in procps
To: debian-bugs@pixar.com, cblake@ucsd.edu
Date: Thu, 19 Oct 1995 21:36:02 +0100 (MET)
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Content-Length: 1290      

The patch which replaces the %40c format with %39s sometimes doesn't
do the right thing: if the command name contains whitespace, it will
be truncated (according to the scanf man page, the %s format "matches
a sequence of non-white-space characters").  I suggest to apply the
patch below.

BTW, this bug also sometimes causes strange output for zombie processes:
the pid and uid fields containing garbage.  After converting the strange
pid value to hex and each byte to ASCII, this is "ie>\0".  This is caused
by strcat() adding " <zombie>" to the string which is too long (not NUL-
terminated) and overwriting other fields in the structure.  Not good...

Marek

diff -urN procps-0.97.orig/snap.c procps-0.97/snap.c
--- procps-0.97.orig/snap.c	Sun Sep 25 19:46:21 1994
+++ procps-0.97/snap.c	Thu Oct 19 21:33:56 1995
@@ -35,7 +35,8 @@
 	    ;
     *tmp='\0';
     /* Now we can parse these two strings separately */
-    sscanf(S, "%d %40c", &P->pid, P->cmd);
+    memset(P->cmd, 0, sizeof(P->cmd);
+    sscanf(S, "%d %39c", &P->pid, P->cmd);  /* sizeof(P->cmd) == 40 */
     sscanf(tmp+1, "%c %d %d %d %d %d %u %u %u %u %u %d %d %d %d %d %d %u %u "
                   "%d %u %u %u %u %u %u %u %u %d %d %d %d %u",
            &P->state, &P->ppid, &P->pgrp, &P->session, &P->tty, &P->tpgid,

Message received at debian-bugs:

From irz301.inf.tu-dresden.de!sr1 Wed Sep 27 14:43:32 1995
Return-Path: <sr1@irz301.inf.tu-dresden.de>
Received: from pixar.com by mongo.pixar.com with smtp
	(Smail3.1.28.1 #15) id m0sy4GK-000GWdC; Wed, 27 Sep 95 14:43 PDT
Received: from irz301.inf.tu-dresden.de by pixar.com with SMTP id AA16295
  (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Wed, 27 Sep 1995 14:43:11 -0700
Received: by irz301.inf.tu-dresden.de (8.6.12/8.6.12-s1) id WAA21395; Wed, 27 Sep 1995 22:42:36 +0100
Date: Wed, 27 Sep 1995 22:42:36 +0100
From: sr1@irz301.inf.tu-dresden.de (Sven Rudolph)
Message-Id: <199509272142.WAA21395@irz301.inf.tu-dresden.de>
To: herbert@greathan.apana.org.au, debian-bugs@pixar.com, imurdock@debian.org
Subject: Re: Bug#1337: Improper use of sscanf in procps
X-Debian-Pr: quiet

> Package: procps
> Version: 0.97-4
> 
> Occasionally "ps -a" would display command lines incorrectly:
> 
> $ ps -a
>   PID TTY STAT  TIME COMMAND
>   197 v11 SW    0:00 (getty)
>   198 v12 SW    0:00 (getty)
> 14360 v10 SW    0:00 (getty)
> 21795 v09 SW    3:50 (bash)
> 31647 s02 SW    0:01 (uugetty)map)
> 
> <..deleted..>

(patch deleted)

I forwarded the patch to the original maintainer of procps, Charles
Blake <cblake@ucsd.edu> .

	Sven
-- 
Sven Rudolph (sr1@inf.tu-dresden.de); WWW : http://www.sax.de/~sr1/

Message received at debian-bugs:

From ion.apana.org.au!greathan.apana.org.au!herbert Sat Sep  9 04:00:48 1995
Return-Path: <greathan.apana.org.au!herbert@ion.apana.org.au>
Received: from pixar.com by mongo.pixar.com with smtp
	(Smail3.1.28.1 #15) id m0srNeR-00052VC; Sat, 9 Sep 95 04:00 PDT
Received: from ion.apana.org.au by pixar.com with SMTP id AA07160
  (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Sat, 9 Sep 1995 04:00:27 -0700
Received: (from herbert@localhost) by greathan.apana.org.au (8.6.12/8.6.6) id UAA32665 for debian-bugs@pixar.com; Sat, 9 Sep 1995 20:46:40 +1000
From: Herbert Xu <herbert@greathan.apana.org.au>
Message-Id: <199509091046.UAA32665@greathan.apana.org.au>
Subject: Improper use of sscanf in procps
To: debian-bugs@pixar.com
Date: Sat, 9 Sep 1995 20:46:31 +1000 (EST)
X-Mailer: ELM [version 2.4 PL24 PGP2]
Content-Type: text
Content-Length: 1298      

Package: procps
Version: 0.97-4

Occasionally "ps -a" would display command lines incorrectly:

$ ps -a
  PID TTY STAT  TIME COMMAND
  197 v11 SW    0:00 (getty)
  198 v12 SW    0:00 (getty)
14360 v10 SW    0:00 (getty)
21795 v09 SW    3:50 (bash)
31647 s02 SW    0:01 (uugetty)map)

<..deleted..>

Of course, the last line should've been "(uugetty)".  The "map)" part
comes from "(rpc.portmap)".  This is caused by the use of "%40c" in
snap.c when calling sscanf().  Since "%40c" doesn't put a NUL at the
end of the string, any parts of a previously assigned value would
remain, as is the case here.  Here is a patch to fix it:

--- procps-0.97/snap.c.orig	Sat Sep  9 19:28:02 1995
+++ procps-0.97/snap.c	Sat Sep  9 19:45:33 1995
@@ -35,7 +35,7 @@
 	    ;
     *tmp='\0';
     /* Now we can parse these two strings separately */
-    sscanf(S, "%d %40c", &P->pid, P->cmd);
+    sscanf(S, "%d %39s", &P->pid, P->cmd);
     sscanf(tmp+1, "%c %d %d %d %d %d %u %u %u %u %u %d %d %d %d %d %d %u %u "
                   "%d %u %u %u %u %u %u %u %u %d %d %d %d %u",
            &P->state, &P->ppid, &P->pgrp, &P->session, &P->tty, &P->tpgid,

-- 
A.  B <=> True			B.  A <=> False
Email:  Herbert Xu ~{PmV>HI~} <herbert@greathan.apana.org.au>
PGP Key:  pgp-public-keys@pgp.mit.edu or any other key sites