This repository has been archived by the owner on May 4, 2018. It is now read-only.
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
unix: fix format string vulnerability in freebsd.c
uv_set_process_title() was susceptible to a format string vulnerability: $ node -e 'process.title = Array(42).join("%s")' Segmentation fault: 11 (core dumped) The fix is trivial - call setproctitle("%s", s) instead of setproctitle(s) - but valgrind complains loudly about reads from and writes to uninitialized memory in libc. It's not a libuv bug because the test case below triggers the same warnings: #include <stdio.h> #include <stdlib.h> #include <sys/types.h> #include <unistd.h> int main(void) { setproctitle("%s", "test"); return 0; } That's why this commit replaces setproctitle() with sysctl(KERN_PROC_ARGS).
- Loading branch information