mirror of
https://github.com/zeek/zeek.git
synced 2025-10-10 10:38:20 +00:00
Func: Do not crash on va_args confusion for script funcs
Script and BIF functions with a single any parameter are excluded from type checking regarding arguments. This makes it possible to call a ScriptFunc with more arguments than it actually has parameters and frame space for, causing heap-buffer-overflows. This change runtime checks expected parameters and provided arguments and short-circuits execution as well as logging runtime expression errors. Fixes #2446
This commit is contained in:
Arne Welzel
parent
2ed42ef771
commit
4314467e44
6 changed files with 70 additions and 0 deletions
11
src/Func.cc
11
src/Func.cc
|
|
@ -362,6 +362,17 @@ ValPtr ScriptFunc::Invoke(zeek::Args* args, Frame* parent) const
|
|||
const CallExpr* call_expr = parent ? parent->GetCall() : nullptr;
|
||||
call_stack.emplace_back(CallInfo{call_expr, this, *args});
|
||||
|
||||
// If a script function is ever invoked with more arguments than it has
|
||||
// parameters log an error and return. Most likely a "variadic function"
|
||||
// that only has a single any parameter and is excluded from static type
|
||||
// checking is involved. This should otherwise not be possible to hit.
|
||||
auto num_params = static_cast<size_t>(GetType()->Params()->NumFields());
|
||||
if ( args->size() > num_params )
|
||||
{
|
||||
emit_builtin_exception("too many arguments for function call");
|
||||
return nullptr;
|
||||
}
|
||||
|
||||
if ( etm && Flavor() == FUNC_FLAVOR_EVENT )
|
||||
etm->StartEvent(this, args);
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue