From 8f805d3329e985f0ea0851fa1522ab447765af27 Mon Sep 17 00:00:00 2001
From: Josh Stone <jistone@redhat.com>
Date: Fri, 9 Oct 2009 17:32:26 -0700
Subject: PR10750: Enforce a reasonable limit on # of varargs

If we leave the number of args unbounded, then an excessively-sized
printf could cause a kernel stack overflow.  I've arbitrarily chosen 32
as our new maximum.

* translate.cxx (c_unparser::visit_print_format): Throw if >32 args.
* testsuite/transko/varargs.stp: Assert that 33 args aren't allowed.
* testsuite/transok/varargs.stp: Assert that 32 args are ok.
---
 testsuite/transko/varargs.stp | 10 ++++++++++
 testsuite/transok/varargs.stp |  9 +++++++++
 translate.cxx                 |  5 +++++
 3 files changed, 24 insertions(+)
 create mode 100755 testsuite/transko/varargs.stp
 create mode 100755 testsuite/transok/varargs.stp

diff --git a/testsuite/transko/varargs.stp b/testsuite/transko/varargs.stp
new file mode 100755
index 00000000..f38309ad
--- /dev/null
+++ b/testsuite/transko/varargs.stp
@@ -0,0 +1,10 @@
+#! stap -p3
+
+probe begin {
+    // PR10750 enforces at most 32 print args
+    println(1, 2, 3, 4, 5, 6, 7, 8,
+            9, 10, 11, 12, 13, 14, 15, 16,
+            17, 18, 19, 20, 21, 22, 23, 24,
+            25, 26, 27, 28, 29, 30, 31, 32,
+            33)
+}
diff --git a/testsuite/transok/varargs.stp b/testsuite/transok/varargs.stp
new file mode 100755
index 00000000..216166f6
--- /dev/null
+++ b/testsuite/transok/varargs.stp
@@ -0,0 +1,9 @@
+#! stap -p3
+
+probe begin {
+    // PR10750 enforces at most 32 print args
+    println(1, 2, 3, 4, 5, 6, 7, 8,
+            9, 10, 11, 12, 13, 14, 15, 16,
+            17, 18, 19, 20, 21, 22, 23, 24,
+            25, 26, 27, 28, 29, 30, 31, 32)
+}
diff --git a/translate.cxx b/translate.cxx
index 9d456bca..1109449d 100644
--- a/translate.cxx
+++ b/translate.cxx
@@ -4178,6 +4178,11 @@ c_unparser::visit_print_format (print_format* e)
     {
       stmt_expr block(*this);
 
+      // PR10750: Enforce a reasonable limit on # of varargs
+      // 32 varargs leads to max 256 bytes on the stack
+      if (e->args.size() > 32)
+        throw semantic_error("too many arguments to print", e->tok);
+
       // Compute actual arguments
       vector<tmpvar> tmp;
 
-- 
cgit