Debian bug report logs - #1337 Improper use of sscanf in procps Package: procps ; Reported by: Herbert Xu ; 52 days old . ----------------------------------------------------------------------- Message received at debian-bugs: From i17linuxb.ists.pwr.wroc.pl!marekm Thu Oct 19 13:36:19 1995 Return-Path: Received: from pixar.com by mongo.pixar.com with smtp (Smail3.1.28.1 #15) id m0t61hK-0004AEC; Thu, 19 Oct 95 13:36 PDT Received: from i17linuxb.ists.pwr.wroc.pl by pixar.com with SMTP id AA18584 (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Thu, 19 Oct 1995 13:35:49 -0700 Received: (from marekm@localhost) by i17linuxb.ists.pwr.wroc.pl (8.6.12/8.6.9) id VAA19249; Thu, 19 Oct 1995 21:36:03 +0100 From: Marek Michalkiewicz Message-Id: <199510192036.VAA19249@i17linuxb.ists.pwr.wroc.pl> Subject: Re: Bug#1337: Improper use of sscanf in procps To: debian-bugs@pixar.com, cblake@ucsd.edu Date: Thu, 19 Oct 1995 21:36:02 +0100 (MET) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1290 The patch which replaces the %40c format with %39s sometimes doesn't do the right thing: if the command name contains whitespace, it will be truncated (according to the scanf man page, the %s format "matches a sequence of non-white-space characters"). I suggest to apply the patch below. BTW, this bug also sometimes causes strange output for zombie processes: the pid and uid fields containing garbage. After converting the strange pid value to hex and each byte to ASCII, this is "ie>\0". This is caused by strcat() adding " " to the string which is too long (not NUL- terminated) and overwriting other fields in the structure. Not good... Marek diff -urN procps-0.97.orig/snap.c procps-0.97/snap.c --- procps-0.97.orig/snap.c Sun Sep 25 19:46:21 1994 +++ procps-0.97/snap.c Thu Oct 19 21:33:56 1995 @@ -35,7 +35,8 @@ ; *tmp='\0'; /* Now we can parse these two strings separately */ - sscanf(S, "%d %40c", &P->pid, P->cmd); + memset(P->cmd, 0, sizeof(P->cmd); + sscanf(S, "%d %39c", &P->pid, P->cmd); /* sizeof(P->cmd) == 40 */ sscanf(tmp+1, "%c %d %d %d %d %d %u %u %u %u %u %d %d %d %d %d %d %u %u " "%d %u %u %u %u %u %u %u %u %d %d %d %d %u", &P->state, &P->ppid, &P->pgrp, &P->session, &P->tty, &P->tpgid, ----------------------------------------------------------------------- Acknowledgement sent to Marek Michalkiewicz : Extra info received and forwarded. Full text available. ----------------------------------------------------------------------- Information forwarded to debian-devel@pixar.com : Bug#1337 ; Package procps . Full text available. ----------------------------------------------------------------------- Message received at debian-bugs: From irz301.inf.tu-dresden.de!sr1 Wed Sep 27 14:43:32 1995 Return-Path: Received: from pixar.com by mongo.pixar.com with smtp (Smail3.1.28.1 #15) id m0sy4GK-000GWdC; Wed, 27 Sep 95 14:43 PDT Received: from irz301.inf.tu-dresden.de by pixar.com with SMTP id AA16295 (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Wed, 27 Sep 1995 14:43:11 -0700 Received: by irz301.inf.tu-dresden.de (8.6.12/8.6.12-s1) id WAA21395; Wed, 27 Sep 1995 22:42:36 +0100 Date: Wed, 27 Sep 1995 22:42:36 +0100 From: sr1@irz301.inf.tu-dresden.de (Sven Rudolph) Message-Id: <199509272142.WAA21395@irz301.inf.tu-dresden.de> To: herbert@greathan.apana.org.au, debian-bugs@pixar.com, imurdock@debian.org Subject: Re: Bug#1337: Improper use of sscanf in procps X-Debian-Pr: quiet > Package: procps > Version: 0.97-4 > > Occasionally "ps -a" would display command lines incorrectly: > > $ ps -a > PID TTY STAT TIME COMMAND > 197 v11 SW 0:00 (getty) > 198 v12 SW 0:00 (getty) > 14360 v10 SW 0:00 (getty) > 21795 v09 SW 3:50 (bash) > 31647 s02 SW 0:01 (uugetty)map) > > <..deleted..> (patch deleted) I forwarded the patch to the original maintainer of procps, Charles Blake . Sven -- Sven Rudolph (sr1@inf.tu-dresden.de); WWW : http://www.sax.de/~sr1/ ----------------------------------------------------------------------- Acknowledgement sent to sr1@irz301.inf.tu-dresden.de (Sven Rudolph) : Extra info received and filed, but not forwarded. Full text available. ----------------------------------------------------------------------- Message received at debian-bugs: From ion.apana.org.au!greathan.apana.org.au!herbert Sat Sep 9 04:00:48 1995 Return-Path: Received: from pixar.com by mongo.pixar.com with smtp (Smail3.1.28.1 #15) id m0srNeR-00052VC; Sat, 9 Sep 95 04:00 PDT Received: from ion.apana.org.au by pixar.com with SMTP id AA07160 (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Sat, 9 Sep 1995 04:00:27 -0700 Received: (from herbert@localhost) by greathan.apana.org.au (8.6.12/8.6.6) id UAA32665 for debian-bugs@pixar.com; Sat, 9 Sep 1995 20:46:40 +1000 From: Herbert Xu Message-Id: <199509091046.UAA32665@greathan.apana.org.au> Subject: Improper use of sscanf in procps To: debian-bugs@pixar.com Date: Sat, 9 Sep 1995 20:46:31 +1000 (EST) X-Mailer: ELM [version 2.4 PL24 PGP2] Content-Type: text Content-Length: 1298 Package: procps Version: 0.97-4 Occasionally "ps -a" would display command lines incorrectly: $ ps -a PID TTY STAT TIME COMMAND 197 v11 SW 0:00 (getty) 198 v12 SW 0:00 (getty) 14360 v10 SW 0:00 (getty) 21795 v09 SW 3:50 (bash) 31647 s02 SW 0:01 (uugetty)map) <..deleted..> Of course, the last line should've been "(uugetty)". The "map)" part comes from "(rpc.portmap)". This is caused by the use of "%40c" in snap.c when calling sscanf(). Since "%40c" doesn't put a NUL at the end of the string, any parts of a previously assigned value would remain, as is the case here. Here is a patch to fix it: --- procps-0.97/snap.c.orig Sat Sep 9 19:28:02 1995 +++ procps-0.97/snap.c Sat Sep 9 19:45:33 1995 @@ -35,7 +35,7 @@ ; *tmp='\0'; /* Now we can parse these two strings separately */ - sscanf(S, "%d %40c", &P->pid, P->cmd); + sscanf(S, "%d %39s", &P->pid, P->cmd); sscanf(tmp+1, "%c %d %d %d %d %d %u %u %u %u %u %d %d %d %d %d %d %u %u " "%d %u %u %u %u %u %u %u %u %d %d %d %d %u", &P->state, &P->ppid, &P->pgrp, &P->session, &P->tty, &P->tpgid, -- A. B <=> True B. A <=> False Email: Herbert Xu ~{PmV>HI~} PGP Key: pgp-public-keys@pgp.mit.edu or any other key sites ----------------------------------------------------------------------- Acknowledgement sent to Herbert Xu : New bug report received and forwarded. Full text available. ----------------------------------------------------------------------- Report forwarded to debian-devel@pixar.com : Bug#1337 ; Package procps . Full text available. ----------------------------------------------------------------------- Ian Jackson / iwj10@thor.cam.ac.uk , with the debian-bugs tracking mechanism This page last modified 07:43:01 GMT Wed 01 Nov