Fix a buffer overflow in gdbr_parse_processes_xml (#5973)

suleif0 · web-flow · commit 5897f30c2532 · 2026-03-04T01:27:08.000+08:00
* Fix a buffer overflow in gdbr_parse_processes_xml, and added a regression test for it
diff --git a/subprojects/rzgdb/src/gdbclient/xml.c b/subprojects/rzgdb/src/gdbclient/xml.c
@@ -361,7 +361,7 @@ static int gdbr_parse_target_xml(libgdbr_t *g, char *xml_data, ut64 len) {
 </osdata>
 */
 static int gdbr_parse_processes_xml(libgdbr_t *g, char *xml_data, ut64 len, int pid, RzList *list) {
-	char pidstr[MAX_PID_CHARS + 1], status[1024], cmdline[1024];
+	char pidstr[MAX_PID_CHARS + 1], status[1024], cmdline[4096];
 	char *itemstr, *column, *column_end, *proc_filename;
 	int ret = -1, ipid, column_data_len;
 	RzDebugPid *pid_info = NULL;
@@ -408,8 +408,7 @@ static int gdbr_parse_processes_xml(libgdbr_t *g, char *xml_data, ut64 len, int
 
 		column += sizeof("<column name=\"command\">") - 1;
 		column_data_len = column_end - column;
-
-		memcpy(cmdline, column, column_data_len);
+		memcpy(cmdline, column, RZ_MIN(column_data_len, sizeof(cmdline)));
 		cmdline[column_data_len] = '\0';
 
 		// Attempt to read the pid's info from /proc. Non UNIX systems will have the
diff --git a/test/db/archos/linux-x64/dbg_gdbserver b/test/db/archos/linux-x64/dbg_gdbserver
@@ -13,3 +13,16 @@ EXPECT=<<EOF
 0x0
 EOF
 RUN
+
+NAME=gdbserver dp
+FILE=bins/elf/analysis/pie
+CMDS=<<EOF
+!scripts/gdbserver.py --port 12346 --multi --binary bins/elf/analysis/pie
+oodf gdb://127.0.0.1:12346
+dp 
+EOF
+REGEXP_FILTER_OUT=(^\s*[*-]\s*(\d+\s+ppid:\d+\s+uid:\d+))
+EXPECT=<<EOF
+ - 1 ppid:0 uid:0
+EOF
+RUN
diff --git a/test/scripts/gdbserver.py b/test/scripts/gdbserver.py
@@ -40,12 +40,22 @@ def main():
         action="store_true",
         help="print stdout output from gdbserver",
     )
+    parser.add_argument(
+        "--multi",
+        default=False,
+        action="store_true",
+        help="start gdbserver in multi-process (extended-remote) mode",
+    )
     args = parser.parse_args()
 
     while True:
-        for output in execute(
-            ["gdbserver", "{}:{}".format(args.host, args.port), args.binary]
-        ):
+        cmd = ["gdbserver"]
+        if args.multi:
+            cmd.append("--multi")  # --multi comes before HOST:PORT
+        cmd.append(f"{args.host}:{args.port}")
+        if args.binary:
+            cmd.append(args.binary)
+        for output in execute(cmd):
             if args.output:
                 print(output)
             # Exit once gdbserver is ready for connections
