Re: [2/2] osf: fixed /proc reading bug

[Evgeniy Polyakov <johnpol@2ka.mipt.ru>]

[-- Attachment #1.1: Type: text/plain, Size: 1277 bytes --]

On Mon, 2004-08-23 at 14:39, Evgeniy Polyakov wrote:
> On Mon, 2004-08-23 at 14:30, Evgeniy Polyakov wrote:
> > On Mon, 2004-08-23 at 13:55, Patrick McHardy wrote:
> > > Evgeniy Polyakov wrote:
> > > 
> > > >It simply checks if return value from snprintf is 0 and breaks,
> > > >otherwise it proceeds.
> > > >
> > > Still broken. snprintf returns a value > n if it truncated to n bytes.
> > > See my last mail again. BTW, did the overflow actually cause problems ?
> > > proc has an extra k of space just for overflows ..
> > 
> > If it truncates than we have [avoided] overflow and definetely will not
> > write anything after it(except zero-lengh snprintf) since
> >  __count-count == 0 there.
> 
> Actually <= 0 which is not good but avoids overflows.
> I can trigger overflow without patch(actually it was hard lockup without
> any messages).
> 
> > Do you mean following:
> > 	list_for_each()
> > 	{
> > 		snprintf();
> > 		if (count > __count)
> > 			break;
> > 	}
> 
> Attached with check 
> 	__count >= count + err;

I'm not smoking bad crack, but it needs to be __count <= count + err;
Attached.

> > 
> > > 
> > > Regards
> > > Patrick
-- 
	Evgeniy Polyakov ( s0mbre )

Crash is better than data corruption. -- Art Grabowski

[-- Attachment #1.2: ipt_osf.diff --]
[-- Type: text/x-patch, Size: 410 bytes --]

--- netfilter_cvs/patch-o-matic-ng/osf/linux-2.6/net/ipv4/netfilter/ipt_osf.c	2004-07-18 00:10:43.000000000 +0400
+++ netfilter_cvs/patch-o-matic-ng/osf/linux-2.6/net/ipv4/netfilter/ipt_osf.c	2004-08-20 21:55:22.000000000 +0400
@@ -411,8 +413,11 @@
 		}
 	}
 
-	read_unlock(&osf_lock);
+	if (fcount)
+		fmatch = FMATCH_OK;
 
+	read_unlock(&osf_lock);
+	
 	return (fmatch == FMATCH_OK)?1:0;
 }
 

[-- Attachment #1.3: ipt_osf.diff.1 --]
[-- Type: text/plain, Size: 1322 bytes --]

--- netfilter_cvs/patch-o-matic-ng/osf/linux-2.6/net/ipv4/netfilter/ipt_osf.c	2004-08-22 00:54:44.000000000 +0400
+++ netfilter_cvs/patch-o-matic-ng/osf/linux-2.6/net/ipv4/netfilter/ipt_osf.c	2004-08-20 22:36:24.000000000 +0400
@@ -182,7 +185,6 @@
 		optsize = tcp->doff*4 - sizeof(struct tcphdr);
 	}
 
-	
 	/* Actually we can create hash/table of all genres and search
 	 * only in appropriate part, but here is initial variant,
 	 * so will use slow path.
@@ -601,9 +603,10 @@
 {
 	struct list_head *ent;
 	struct osf_finger *f = NULL;
-	int i;
+	int i, __count, err;
 	
 	*eof = 1;
+	__count = count;
 	count = 0;
 
 	read_lock_bh(&osf_lock);
@@ -613,10 +616,13 @@
 
 		log("%s [%s]", f->genre, f->details);
 		
-		count += sprintf(buf+count, "%s - %s[%s] : %s", 
+		err = snprintf(buf+count, __count-count, "%s - %s[%s] : %s", 
 					f->genre, f->version,
 					f->subtype, f->details);
-		
+		if (err == 0 || __count <= count + err)
+			break;
+		else
+			count += err;
 		if (f->opt_num)
 		{
 			loga(" OPT: ");
@@ -630,7 +636,11 @@
 			}
 		}
 		loga("\n");
-		count += sprintf(buf+count, "\n");
+		err = snprintf(buf+count, __count-count, "\n");
+		if (err == 0 || __count <= count + err)
+			break;
+		else
+			count += err;
 	}
 	read_unlock_bh(&osf_lock);
 

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]