From: Kay Sievers <kay.sievers@vrfy.org>
To: linux-hotplug@vger.kernel.org
Subject: Re: [PATCH] udev - read long lines from config files overflow fix
Date: Sat, 04 Sep 2004 21:12:38 +0000 [thread overview]
Message-ID: <20040904211238.GA32386@vrfy.org> (raw)
In-Reply-To: <20040904170854.GA12270@spock.enterprise>
[-- Attachment #1: Type: text/plain, Size: 1027 bytes --]
On Sun, Sep 05, 2004 at 01:08:54AM +0800, Arun Bhanu wrote:
> A line containing more than 255 characters in any of the config files -
> *.rules, *.permissions or udev.conf - causes udevstart to segfault while
> reading them. To reproduce, put a comment line longer than 255
> characters in any of the above files.
>
> The following patch against udev-030 fixes it.
Cool, a real bug :)
Thanks, for the patch. I think it would be better to skip lenghth exceeding
lines instead of cutting it and continue. While looking at it I restructured
the buffer reading logic a bit and fixed another stupid bug.
o Lines with a exceeding length are skipped.
o we now skip empty lines, comment lines and leading whitespace before
we copy over our line string to parse.
o Fix for another bug. If we don't find any valuable key in a line, we
need to skip this line completely and not assume that this is a ignore
rule.
o Send line parsing errors to log, as nobody will ever notice it without
recompilation of udev
Thanks,
Kay
[-- Attachment #2: udev-line-bug-01.patch --]
[-- Type: text/plain, Size: 8190 bytes --]
===== klibc_fixups.c 1.10 vs edited =====
--- 1.10/klibc_fixups.c 2004-05-21 06:12:37 +02:00
+++ edited/klibc_fixups.c 2004-09-04 23:03:30 +02:00
@@ -41,8 +41,9 @@
static unsigned long get_id_by_name(const char *uname, const char *dbfile)
{
unsigned long id = -1;
- char line[255];
+ char line[LINE_SIZE];
char *buf;
+ char *bufline;
size_t bufsize;
size_t cur;
size_t count;
@@ -59,18 +60,18 @@ static unsigned long get_id_by_name(cons
}
/* loop through the whole file */
-
cur = 0;
- while (1) {
+ while (cur < bufsize) {
count = buf_get_line(buf, bufsize, cur);
+ bufline = &buf[cur];
+ cur += count+1;
+
+ if (count >= LINE_SIZE)
+ continue;
- strncpy(line, buf + cur, count);
+ strncpy(line, bufline, count);
line[count] = '\0';
pos = line;
-
- cur += count+1;
- if (cur > bufsize)
- break;
/* get name */
name = strsep(&pos, ":");
===== namedev_parse.c 1.34 vs edited =====
--- 1.34/namedev_parse.c 2004-03-25 14:10:52 +01:00
+++ edited/namedev_parse.c 2004-09-04 22:24:14 +02:00
@@ -58,7 +58,7 @@ void dump_config_dev(struct config_devic
{
dbg_parse("name='%s', symlink='%s', bus='%s', place='%s', id='%s', "
"sysfs_file[0]='%s', sysfs_value[0]='%s', "
- "kernel='%s', program='%s', result='%s'",
+ "kernel='%s', program='%s', result='%s'"
"owner='%s', group='%s', mode=%#o",
dev->name, dev->symlink, dev->bus, dev->place, dev->id,
dev->sysfs_pair[0].file, dev->sysfs_pair[0].value,
@@ -144,7 +144,8 @@ static char *get_key_attribute(char *str
static int namedev_parse_rules(char *filename)
{
- char line[255];
+ char line[LINE_SIZE];
+ char *bufline;
int lineno;
char *temp;
char *temp2;
@@ -155,6 +156,7 @@ static int namedev_parse_rules(char *fil
size_t cur;
size_t count;
int program_given = 0;
+ int valid;
int retval = 0;
struct config_device dev;
@@ -168,35 +170,39 @@ static int namedev_parse_rules(char *fil
/* loop through the whole file */
cur = 0;
lineno = 0;
- while (1) {
+ while (cur < bufsize) {
count = buf_get_line(buf, bufsize, cur);
-
- strncpy(line, buf + cur, count);
- line[count] = '\0';
- temp = line;
- lineno++;
-
+ bufline = &buf[cur];
cur += count+1;
- if (cur > bufsize)
- break;
-
- dbg_parse("read '%s'", temp);
+ lineno++;
- /* eat the whitespace */
- while (isspace(*temp))
- ++temp;
+ if (count >= LINE_SIZE) {
+ info("line too long, rule skipped %s, line %d",
+ filename, lineno);
+ continue;
+ }
/* empty line? */
- if ((*temp == '\0') || (*temp == '\n'))
+ if (bufline[0] == '\0' || bufline[0] == '\n')
continue;
+ /* eat the whitespace */
+ while (isspace(bufline[0]))
+ bufline++;
+
/* see if this is a comment */
- if (*temp == COMMENT_CHARACTER)
+ if (bufline[0] == COMMENT_CHARACTER)
continue;
- memset(&dev, 0x00, sizeof(struct config_device));
+ strncpy(line, bufline, count);
+ line[count] = '\0';
+ dbg_parse("read '%s'", line);
/* get all known keys */
+ memset(&dev, 0x00, sizeof(struct config_device));
+ temp = line;
+ valid = 0;
+
while (1) {
retval = parse_get_pair(&temp, &temp2, &temp3);
if (retval)
@@ -204,16 +210,19 @@ static int namedev_parse_rules(char *fil
if (strcasecmp(temp2, FIELD_BUS) == 0) {
strfieldcpy(dev.bus, temp3);
+ valid = 1;
continue;
}
if (strcasecmp(temp2, FIELD_ID) == 0) {
strfieldcpy(dev.id, temp3);
+ valid = 1;
continue;
}
if (strcasecmp(temp2, FIELD_PLACE) == 0) {
strfieldcpy(dev.place, temp3);
+ valid = 1;
continue;
}
@@ -238,54 +247,62 @@ static int namedev_parse_rules(char *fil
}
strfieldcpy(pair->file, attr);
strfieldcpy(pair->value, temp3);
+ valid = 1;
}
continue;
}
if (strcasecmp(temp2, FIELD_KERNEL) == 0) {
strfieldcpy(dev.kernel, temp3);
+ valid = 1;
continue;
}
if (strcasecmp(temp2, FIELD_PROGRAM) == 0) {
program_given = 1;
strfieldcpy(dev.program, temp3);
+ valid = 1;
continue;
}
if (strcasecmp(temp2, FIELD_RESULT) == 0) {
strfieldcpy(dev.result, temp3);
+ valid = 1;
continue;
}
if (strncasecmp(temp2, FIELD_NAME, sizeof(FIELD_NAME)-1) == 0) {
attr = get_key_attribute(temp2 + sizeof(FIELD_NAME)-1);
- if (attr != NULL)
- if (strcasecmp(attr, ATTR_PARTITIONS) == 0) {
+ if (attr != NULL && strcasecmp(attr, ATTR_PARTITIONS) == 0) {
dbg_parse("creation of partition nodes requested");
dev.partitions = PARTITIONS_COUNT;
}
strfieldcpy(dev.name, temp3);
+ valid = 1;
continue;
}
if (strcasecmp(temp2, FIELD_SYMLINK) == 0) {
strfieldcpy(dev.symlink, temp3);
+ valid = 1;
continue;
}
if (strcasecmp(temp2, FIELD_OWNER) == 0) {
strfieldcpy(dev.owner, temp3);
+ valid = 1;
continue;
}
if (strcasecmp(temp2, FIELD_GROUP) == 0) {
strfieldcpy(dev.group, temp3);
+ valid = 1;
continue;
}
if (strcasecmp(temp2, FIELD_MODE) == 0) {
dev.mode = strtol(temp3, NULL, 8);
+ valid = 1;
continue;
}
@@ -293,16 +310,20 @@ static int namedev_parse_rules(char *fil
goto error;
}
+ /* skip line if not any valid key was found */
+ if (!valid)
+ goto error;
+
/* simple plausibility checks for given keys */
if ((dev.sysfs_pair[0].file[0] == '\0') ^
(dev.sysfs_pair[0].value[0] == '\0')) {
- dbg("inconsistency in " FIELD_SYSFS " key");
+ info("inconsistency in " FIELD_SYSFS " key");
goto error;
}
if ((dev.result[0] != '\0') && (program_given == 0)) {
- dbg(FIELD_RESULT " is only useful when "
- FIELD_PROGRAM " is called in any rule before");
+ info(FIELD_RESULT " is only useful when "
+ FIELD_PROGRAM " is called in any rule before");
goto error;
}
@@ -313,8 +334,8 @@ static int namedev_parse_rules(char *fil
dbg("add_config_dev returned with error %d", retval);
continue;
error:
- dbg("%s:%d:%d: parse error, rule skipped",
- filename, lineno, temp - line);
+ info("parse error %s, line %d:%d, rule skipped",
+ filename, lineno, temp - line);
}
}
@@ -324,7 +345,8 @@ error:
static int namedev_parse_permissions(char *filename)
{
- char line[255];
+ char line[LINE_SIZE];
+ char *bufline;
char *temp;
char *temp2;
char *buf;
@@ -333,6 +355,7 @@ static int namedev_parse_permissions(cha
size_t count;
int retval = 0;
struct perm_device dev;
+ int lineno;
if (file_map(filename, &buf, &bufsize) == 0) {
dbg("reading '%s' as permissions file", filename);
@@ -343,34 +366,39 @@ static int namedev_parse_permissions(cha
/* loop through the whole file */
cur = 0;
- while (1) {
+ lineno = 0;
+ while (cur < bufsize) {
count = buf_get_line(buf, bufsize, cur);
-
- strncpy(line, buf + cur, count);
- line[count] = '\0';
- temp = line;
-
+ bufline = &buf[cur];
cur += count+1;
- if (cur > bufsize)
- break;
-
- dbg_parse("read '%s'", temp);
+ lineno++;
- /* eat the whitespace at the beginning of the line */
- while (isspace(*temp))
- ++temp;
+ if (count >= LINE_SIZE) {
+ info("line too long, rule skipped %s, line %d",
+ filename, lineno);
+ continue;
+ }
/* empty line? */
- if ((*temp == '\0') || (*temp == '\n'))
+ if (bufline[0] == '\0' || bufline[0] == '\n')
continue;
+ /* eat the whitespace */
+ while (isspace(bufline[0]))
+ bufline++;
+
/* see if this is a comment */
- if (*temp == COMMENT_CHARACTER)
+ if (bufline[0] == COMMENT_CHARACTER)
continue;
- memset(&dev, 0x00, sizeof(dev));
+ strncpy(line, bufline, count);
+ line[count] = '\0';
+ dbg_parse("read '%s'", line);
/* parse the line */
+ memset(&dev, 0x00, sizeof(struct perm_device));
+ temp = line;
+
temp2 = strsep(&temp, ":");
if (!temp2) {
dbg("cannot parse line '%s'", line);
===== udev.h 1.58 vs edited =====
--- 1.58/udev.h 2004-08-05 00:43:58 +02:00
+++ edited/udev.h 2004-09-04 19:30:25 +02:00
@@ -37,6 +37,8 @@
#define DEVPATH_SIZE 255
#define SUBSYSTEM_SIZE 30
+#define LINE_SIZE 256
+
/* length of public data */
#define UDEVICE_LEN (offsetof(struct udevice, bus_id))
next prev parent reply other threads:[~2004-09-04 21:12 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-09-04 17:08 [PATCH] udev - read long lines from config files overflow fix Arun Bhanu
2004-09-04 21:12 ` Kay Sievers [this message]
2004-09-05 18:28 ` Arun Bhanu
2004-09-05 18:51 ` Kay Sievers
2004-09-10 20:03 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20040904211238.GA32386@vrfy.org \
--to=kay.sievers@vrfy.org \
--cc=linux-hotplug@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.