12786 fix CTF pointer overrun

Reviewed by: Toomas Soome <tsoome@me.com> Reviewed by: Robert Mustacchi <rm@fingolfin.org> Approved by: Dan McDonald <danmcd@joyent.com>
author: Nicolò Mazzucato <nicomazz97@gmail.com> 2020-04-22 21:01:53 +0100
committer: John Levon <john.levon@joyent.com> 2020-06-03 03:01:46 -0700
commit: d15d17d4231f87f1571fa6d585377206f360f667 (patch)
tree: 1afdee7918aa8b3ff53596a1e16803e27a8a2b07
parent: 8fff788790878e3c95666decd46960ecc74c1c69 (diff)
download: illumos-joyent-d15d17d4231f87f1571fa6d585377206f360f667.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/usr/src/common/ctf/ctf_lookup.c b/usr/src/common/ctf/ctf_lookup.c
index 05aa54d6cb..b45b7ad793 100644
--- a/usr/src/common/ctf/ctf_lookup.c
+++ b/usr/src/common/ctf/ctf_lookup.c
@@ -133,7 +133,8 @@ ctf_lookup_by_name(ctf_file_t *fp, const char *name)
 
 		for (lp = fp->ctf_lookups; lp->ctl_prefix != NULL; lp++) {
 			if (lp->ctl_prefix[0] == '\0' ||
-			    strncmp(p, lp->ctl_prefix, (size_t)(q - p)) == 0) {
+			    ((size_t)(q - p) >= lp->ctl_len && strncmp(p,
+			    lp->ctl_prefix, (size_t)(q - p)) == 0)) {
 				for (p += lp->ctl_len; isspace(*p); p++)
 					continue; /* skip prefix and next ws */
author	Nicolò Mazzucato <nicomazz97@gmail.com>	2020-04-22 21:01:53 +0100
committer	John Levon <john.levon@joyent.com>	2020-06-03 03:01:46 -0700
commit	d15d17d4231f87f1571fa6d585377206f360f667 (patch)
tree	1afdee7918aa8b3ff53596a1e16803e27a8a2b07
parent	8fff788790878e3c95666decd46960ecc74c1c69 (diff)
download	illumos-joyent-d15d17d4231f87f1571fa6d585377206f360f667.tar.gz