[PATCH] fix strace -s N handling

Denys Vlasenko dvlasenk at redhat.com
Wed Nov 5 18:18:45 UTC 2008

On Wed, 2008-11-05 at 15:16 +0100, Denys Vlasenko wrote:
> Before this patch, -s N shows N+1 chars in strings.
> More annoyingly, it shows this for shorter strings:
> write(1, "hi\n"..., 3) = 3
> After patch:
> write(1, "hi\n", 3) = 3
> Patch author is Jeff Bastian jbastian at redhat.com
> Patch is below. Please apply.

It appears that the bug this patch fixes causes buffer overruns
and corrupts memory since we malloc just enough space for N chars
+ NUL but then try to stuff N+1 chars + NUL there.

See https://bugzilla.redhat.com/show_bug.cgi?id=466877

On a related note: look at this code:

printstr(struct tcb *tcp, long addr, int len)
        static char *str = NULL;
        static char *outstr;
        if (!str) {
                if ((str = malloc(max_strlen + 1)) == NULL
                    || (outstr = malloc(4*max_strlen
                                        + sizeof "\"\"...")) == NULL) {
                        fprintf(stderr, "out of memory\n");
                        tprintf("%#lx", addr);
        if (string_quote(str, outstr, len, size) && (len > max_strlen))

If str allocation succeeds but outstr allocation fails, we error out,
but on next call we do not even try to allocate outstr, and will
invariably SEGV because it is still NULL. "free(str); str = NULL;"
is missing on error path.

(This reinforces a theorem that vast majority of programs
are hopelessly buggy wrt malloc failures... oh well...)


More information about the Strace-devel mailing list