Skip to content

Fix off-by-one heap-buffer-overflow in get_or_create_temp_file()#493

Open
xroche wants to merge 1 commit intoDataDog:mainfrom
xroche:fix/loader-off-by-one-heap-overflow
Open

Fix off-by-one heap-buffer-overflow in get_or_create_temp_file()#493
xroche wants to merge 1 commit intoDataDog:mainfrom
xroche:fix/loader-off-by-one-heap-overflow

Conversation

@xroche
Copy link

@xroche xroche commented Feb 25, 2026
edited
Loading

What does this PR do?

Fix off-by-one heap-buffer-overflow in get_or_create_temp_file() in src/lib/loader.c.

The malloc allocates strlen(tmp_dir) + strlen(prefix) + strlen(data.digest) + 2, but the path tmp_dir/prefix-digest\0 needs +3 (for /, -, and \0). The NUL terminator overflows by 1 byte.

Motivation

Detected via AddressSanitizer when dlopening libdd_profiling.so (v0.23.0 release):

==2568==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7bf027027061
WRITE of size 65 at 0x7bf027027061 thread T0
  [frame=0, function=strcat]
  [frame=1, function=get_or_create_temp_file, location=loader.c]
  [frame=2, function=loader, location=loader.c]

The sister function create_temp_file() is correct (only 1 separator).

Additional Notes

In practice, the 1-byte NUL overflow is benign on most allocators — it only crashes under ASAN.

How to test the change?

dlopen libdd_profiling.so under AddressSanitizer.

Classification

  • CWE-131: Incorrect Calculation of Buffer Size
  • CWE-122: Heap-based Buffer Overflow

Fixes #492

@xroche
Fix off-by-one heap-buffer-overflow in get_or_create_temp_file()
bf4b006 
The malloc size calculation in get_or_create_temp_file() allocates
strlen(tmp_dir) + strlen(prefix) + strlen(data.digest) + 2 bytes,
but the constructed path "tmp_dir/prefix-digest\0" requires +3 bytes
(for '/', '-', and the NUL terminator), not +2.

This causes a 1-byte heap-buffer-overflow when strcat writes the NUL
terminator of data.digest past the end of the allocated buffer.

Make the arithmetic explicit by writing each component's length
separately (+1 for each separator and the terminator), matching the
four strcat calls that follow.

The sister function create_temp_file() is not affected: its format
"tmp_dir/prefix.XXXXXX" only has one separator ('/'), and ".XXXXXX"
is already measured by strlen(".XXXXXX").

Fixes DataDog#492
@r1viollet
Copy link
Collaborator

r1viollet commented Feb 26, 2026

Thank you! We will look at why we did not pick this up on asan builds.

@xroche
Copy link
Author

xroche commented Feb 27, 2026

Thank you! We will look at why we did not pick this up on asan builds.

@r1viollet We detected several other issues; what would be the most efficient way to address them ?

  • Open a ticket
  • Open a ticket + PR
  • Just a PR
  • Discuss first

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@r1viollet r1viollet Awaiting requested review from r1viollet r1viollet is a code owner

@nsavoire nsavoire Awaiting requested review from nsavoire nsavoire is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Heap-buffer-overflow (off-by-one) in get_or_create_temp_file() in loader.c

2 participants

@xroche @r1viollet