A potential bug to squeeze extra memory through command line arguments

[haris iqbal]

Hello.

I was going through the code of strace.c, when I found this line in
init() function.

tcbtabsize = argc;  /* Surely enough for all -p args.  */

That set me thinking is it really is what I think it is. Can it really
be that strace will allocate that many tcbtab pointers and tcp
structures as many arguments I give to the program.

So I set out to find out whether there is a way to make strace take a
lot of memory, without actually using it.

Firstly I found out that if there is a way to give large number of
arguments and still make strace work as it should. It turns out that
there is. One can give as many -i (or some other such arguments) as
arguments and the strace would work properly.

Then, I wanted to make sure whether the code is actually allocating
that many resources as as there are arguments. So I went into the
cleanup() function that is called through error_msg_and_die(). And
there I added debugging code to see how many of them were actually
allocated. It turns out that they were allocated.
I added a print statement in the for loop of cleanup(). It ran for as
many number of times as there were arguments. Although the usefull one
was the first one only, which had the pid of the process being traced
(strace was run with -p <pid> option).

So, summing it all up. I ran a script which gave strace a -p option
and a process pid to trace. Along with that some 600000 -i options. It
ran successfully with a memory consumption of around 100mb. Thats a
lot for a small system with limited memory.


-- 

With regards,

Md Haris Iqbal,
Placement Coordinator, MTech IT
NITK Surathkal,
Contact: +91 8861996962