>Number:         2550
>Category:       bin
>Synopsis:       ps core dumps with certain arguments, eg wwwwwwwww1
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people (Utility Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Jun 15 06:20:04 1996
>Last-Modified:
>Originator:     Greg Stark
>Organization:
MIT SIPB
>Release:        1.1
>Environment:

System: NetBSD lola-granola 1.1B NetBSD 1.1B (LOLA) #1: Mon Jun 10 21:36:50 EDT 1996 mycroft@zygorthian-space-raiders: /afs/sipb.mit.edu/project/netbsd/dev/current-source/build/i386_nbsd1/sys/arch/i386/compile/LOLA i386


>Description:

The kludge_oldps_options function can add two characters to the
argument, a leading -, and a p flag before a pid.

But it only allocates a buffer with one extra space and so it can
overwrite the end of the buffer. Typically it seems to core dump on
some later call to malloc.


>How-To-Repeat:
$ ps llllllll1
  UID   PID  PPID CPU PRI NI   VSZ  RSS WCHAN  STAT TT       TIME COMMAND
    0     1     0   0  10  0   236    8 wait   IWs  ??    0:00.86 /sbin/init 

$ ps lllllllll1
Segmentation fault

$ ps wwwwwwwww1
Segmentation fault

$ ps wwwwwwwwwwwwwwwwwwwwwwwww1
  PID TT  STAT      TIME COMMAND
Segmentation fault

$ echo $$
3376

$ ps -cgxlww$$
  UID   PID  PPID CPU PRI NI   VSZ  RSS WCHAN  STAT TT       TIME COMMAND
 2133  3376  3352  35  10 20   364  204 wait   SNs  p4    0:01.87 sh

$ ps cgxlww$$
Segmentation fault


>Fix:

Here's a unified patch, untested:

$ diff -u /usr/src/bin/ps/ps.c /var/tmp/ps.c
--- /usr/src/bin/ps/ps.c	Thu May 18 16:43:01 1995
+++ /var/tmp/ps.c	Sat Jun 15 01:28:38 1996
@@ -432,7 +432,7 @@
 	char *newopts, *ns, *cp;
 
 	len = strlen(s);
-	if ((newopts = ns = malloc(len + 2)) == NULL)
+	if ((newopts = ns = malloc(len + 3)) == NULL)
 		err(1, NULL);
 	/*
 	 * options begin with '-'

>Audit-Trail:
>Unformatted: