Avoid a buffer overread if the child reports a wrong length

The child code isn't supposed to cause memory corruption, but if it does, try to report a problem rather than mess up further. Adapt the code to report the failure to the parent accordingly. In particular, we need to make sure that the first byte written to the reporting pipe is the result code in all cases, so don't jump over the writing of the result code. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2026-06-05 21:15:09 +00:00 · 2026-03-16 15:49:48 +01:00
parent f4677c89d6
commit a55f15580f
1 changed files with 10 additions and 4 deletions
@@ -64,12 +64,16 @@ static void run_child(
    }

    child_callback(param, buf, size, &length);
+    TEST_LE_U(length, size);

-    char result_char = mbedtls_test_get_result();
-    TEST_ASSERT(fputc(result_char, file) != EOF);
-
+    /* Label called `exit`: this is where TEST_ASSERT() and friends jump to. */
 exit:
-    if (mbedtls_test_get_result() == MBEDTLS_TEST_RESULT_SUCCESS) {
+    ; // label followed by a declaration is not portable C
+    char result_char = mbedtls_test_get_result();
+    if (fputc(result_char, file) == EOF) {
+        goto write_done;
+    }
+    if (result_char == MBEDTLS_TEST_RESULT_SUCCESS) {
        if (fwrite(buf, length, 1, file) != 1) {
            goto write_done;
        }
@@ -85,6 +89,8 @@ exit:
    }
    child_exit_code = CHILD_EXIT_CODE_OK;

+    /* Label for `_exit()` call: this is where we jump to if the failure
+     * reporting fails. */
 write_done:
    _exit(child_exit_code);
 }