1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
|
Bug: https://github.com/falcosecurity/libs/issues/2333
Origin: https://github.com/falcosecurity/libs/pull/2337
From 60345cb4f3aac24c768fc420af705230f46e9265 Mon Sep 17 00:00:00 2001
From: Federico Di Pierro <nierro92@gmail.com>
Date: Wed, 9 Apr 2025 10:28:52 +0200
Subject: [PATCH 2/2] fix(userspace/libsinsp): avoid copying past end of data
bytes.
Another edge case of `evt.rawarg.*` fields.
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
---
userspace/libsinsp/filter_compare.cpp | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/userspace/libsinsp/filter_compare.cpp b/userspace/libsinsp/filter_compare.cpp
index 4c2b49151..a42d7dff2 100644
--- a/userspace/libsinsp/filter_compare.cpp
+++ b/userspace/libsinsp/filter_compare.cpp
@@ -601,7 +601,18 @@ static inline toT flt_cast(const void* ptr, uint32_t len) {
shift = len - sizeof(fromT);
}
#endif
- memcpy(&val, (uint8_t*)ptr + shift, sizeof(fromT));
+
+ /*
+ * Another fix for `evt.rawarg.*` fields:
+ * it can happen that we evaluated eg: `evt.rawarg.flags` to be uin16_t at filter compile time,
+ * but then when we extract from event, we expect an uint32_t.
+ * Without this check, we would try to copy 4B of data while our ptr only holds 2B of data.
+ */
+ size_t size = sizeof(fromT);
+ if(len > 0 && len < size) {
+ size = len;
+ }
+ memcpy(&val, (uint8_t*)ptr + shift, size);
return static_cast<toT>(val);
}
--
2.42.0
|
