From: Arun Bhanu <arun@codemovers.org>
To: linux-hotplug@vger.kernel.org
Subject: Re: [PATCH] udev - read long lines from config files overflow fix
Date: Sun, 05 Sep 2004 18:28:11 +0000 [thread overview]
Message-ID: <20040905182811.GA12371@spock.enterprise> (raw)
In-Reply-To: <20040904170854.GA12270@spock.enterprise>
Hi Kay,
On 23:12 Sat 04 Sep , Kay Sievers wrote:
> Cool, a real bug :)
> Thanks, for the patch. I think it would be better to skip lenghth exceeding
> lines instead of cutting it and continue. While looking at it I restructured
> the buffer reading logic a bit and fixed another stupid bug.
Thanks for the cleanup.
You may have overlooked the fix for udev_config.c(parsing udev.conf) in
your patch. So, I've adapted the fixes you applied to namedev_parse.c
to this file also.
Also, while 'eating' the whitespace the 'count' doesn't get decremented.
This leads strncpy to copy the number of whitespace minus 1 characters
from the next line. Minus 1 because it copies '\n' from the current
line.
while (isspace(bufline[0])) {
bufline++;
+ count--;
}
.
.
.
strncpy(line, bufline, count);
Included patch(against udev-030) contains the above fixes as well as
your fixes.
--Arun
Signed-off-by: Arun Bhanu <arun@codemovers.org>
diff -Nru a/klibc_fixups.c b/klibc_fixups.c
--- a/klibc_fixups.c 2004-07-10 01:59:09.000000000 +0800
+++ b/klibc_fixups.c 2004-09-05 17:41:34.000000000 +0800
@@ -41,8 +41,9 @@
static unsigned long get_id_by_name(const char *uname, const char *dbfile)
{
unsigned long id = -1;
- char line[255];
+ char line[LINE_SIZE];
char *buf;
+ char *bufline;
size_t bufsize;
size_t cur;
size_t count;
@@ -59,19 +60,19 @@
}
/* loop through the whole file */
-
cur = 0;
- while (1) {
+ while (cur < bufsize) {
count = buf_get_line(buf, bufsize, cur);
+ bufline = &buf[cur];
+ cur += count+1;
+
+ if (count >= LINE_SIZE)
+ continue;
- strncpy(line, buf + cur, count);
+ strncpy(line, bufline, count);
line[count] = '\0';
pos = line;
- cur += count+1;
- if (cur > bufsize)
- break;
-
/* get name */
name = strsep(&pos, ":");
if (name = NULL)
diff -Nru a/namedev_parse.c b/namedev_parse.c
--- a/namedev_parse.c 2004-07-10 01:59:09.000000000 +0800
+++ b/namedev_parse.c 2004-09-06 01:26:25.153941464 +0800
@@ -58,7 +58,7 @@
{
dbg_parse("name='%s', symlink='%s', bus='%s', place='%s', id='%s', "
"sysfs_file[0]='%s', sysfs_value[0]='%s', "
- "kernel='%s', program='%s', result='%s'",
+ "kernel='%s', program='%s', result='%s'"
"owner='%s', group='%s', mode=%#o",
dev->name, dev->symlink, dev->bus, dev->place, dev->id,
dev->sysfs_pair[0].file, dev->sysfs_pair[0].value,
@@ -144,7 +144,8 @@
static int namedev_parse_rules(char *filename)
{
- char line[255];
+ char line[LINE_SIZE];
+ char *bufline;
int lineno;
char *temp;
char *temp2;
@@ -155,6 +156,7 @@
size_t cur;
size_t count;
int program_given = 0;
+ int valid;
int retval = 0;
struct config_device dev;
@@ -168,35 +170,41 @@
/* loop through the whole file */
cur = 0;
lineno = 0;
- while (1) {
+ while (cur < bufsize) {
count = buf_get_line(buf, bufsize, cur);
-
- strncpy(line, buf + cur, count);
- line[count] = '\0';
- temp = line;
- lineno++;
-
+ bufline = &buf[cur];
cur += count+1;
- if (cur > bufsize)
- break;
-
- dbg_parse("read '%s'", temp);
+ lineno++;
- /* eat the whitespace */
- while (isspace(*temp))
- ++temp;
+ if (count >= LINE_SIZE) {
+ info("line too long, rule skipped %s, line %d",
+ filename, lineno);
+ continue;
+ }
/* empty line? */
- if ((*temp = '\0') || (*temp = '\n'))
+ if (bufline[0] = '\0' || bufline[0] = '\n')
continue;
+ /* eat the whitespace */
+ while (isspace(bufline[0])) {
+ bufline++;
+ count--;
+ }
+
/* see if this is a comment */
- if (*temp = COMMENT_CHARACTER)
+ if (bufline[0] = COMMENT_CHARACTER)
continue;
- memset(&dev, 0x00, sizeof(struct config_device));
+ strncpy(line, bufline, count);
+ line[count] = '\0';
+ dbg_parse("read '%s'", line);
/* get all known keys */
+ memset(&dev, 0x00, sizeof(struct config_device));
+ temp = line;
+ valid = 0;
+
while (1) {
retval = parse_get_pair(&temp, &temp2, &temp3);
if (retval)
@@ -204,16 +212,19 @@
if (strcasecmp(temp2, FIELD_BUS) = 0) {
strfieldcpy(dev.bus, temp3);
+ valid = 1;
continue;
}
if (strcasecmp(temp2, FIELD_ID) = 0) {
strfieldcpy(dev.id, temp3);
+ valid = 1;
continue;
}
if (strcasecmp(temp2, FIELD_PLACE) = 0) {
strfieldcpy(dev.place, temp3);
+ valid = 1;
continue;
}
@@ -238,54 +249,62 @@
}
strfieldcpy(pair->file, attr);
strfieldcpy(pair->value, temp3);
+ valid = 1;
}
continue;
}
if (strcasecmp(temp2, FIELD_KERNEL) = 0) {
strfieldcpy(dev.kernel, temp3);
+ valid = 1;
continue;
}
if (strcasecmp(temp2, FIELD_PROGRAM) = 0) {
program_given = 1;
strfieldcpy(dev.program, temp3);
+ valid = 1;
continue;
}
if (strcasecmp(temp2, FIELD_RESULT) = 0) {
strfieldcpy(dev.result, temp3);
+ valid = 1;
continue;
}
if (strncasecmp(temp2, FIELD_NAME, sizeof(FIELD_NAME)-1) = 0) {
attr = get_key_attribute(temp2 + sizeof(FIELD_NAME)-1);
- if (attr != NULL)
- if (strcasecmp(attr, ATTR_PARTITIONS) = 0) {
+ if (attr != NULL && strcasecmp(attr, ATTR_PARTITIONS) = 0) {
dbg_parse("creation of partition nodes requested");
dev.partitions = PARTITIONS_COUNT;
}
strfieldcpy(dev.name, temp3);
+ valid = 1;
continue;
}
if (strcasecmp(temp2, FIELD_SYMLINK) = 0) {
strfieldcpy(dev.symlink, temp3);
+ valid = 1;
continue;
}
if (strcasecmp(temp2, FIELD_OWNER) = 0) {
strfieldcpy(dev.owner, temp3);
+ valid = 1;
continue;
}
if (strcasecmp(temp2, FIELD_GROUP) = 0) {
strfieldcpy(dev.group, temp3);
+ valid = 1;
continue;
}
if (strcasecmp(temp2, FIELD_MODE) = 0) {
dev.mode = strtol(temp3, NULL, 8);
+ valid = 1;
continue;
}
@@ -293,16 +312,20 @@
goto error;
}
+ /* skip line if not any valid key was found */
+ if (!valid)
+ goto error;
+
/* simple plausibility checks for given keys */
if ((dev.sysfs_pair[0].file[0] = '\0') ^
(dev.sysfs_pair[0].value[0] = '\0')) {
- dbg("inconsistency in " FIELD_SYSFS " key");
+ info("inconsistency in " FIELD_SYSFS " key");
goto error;
}
if ((dev.result[0] != '\0') && (program_given = 0)) {
- dbg(FIELD_RESULT " is only useful when "
- FIELD_PROGRAM " is called in any rule before");
+ info(FIELD_RESULT " is only useful when "
+ FIELD_PROGRAM " is called in any rule before");
goto error;
}
@@ -313,8 +336,8 @@
dbg("add_config_dev returned with error %d", retval);
continue;
error:
- dbg("%s:%d:%d: parse error, rule skipped",
- filename, lineno, temp - line);
+ info("parse error %s, line %d:%d, rule skipped",
+ filename, lineno, temp - line);
}
}
@@ -324,7 +347,8 @@
static int namedev_parse_permissions(char *filename)
{
- char line[255];
+ char line[LINE_SIZE];
+ char *bufline;
char *temp;
char *temp2;
char *buf;
@@ -333,6 +357,7 @@
size_t count;
int retval = 0;
struct perm_device dev;
+ int lineno;
if (file_map(filename, &buf, &bufsize) = 0) {
dbg("reading '%s' as permissions file", filename);
@@ -343,34 +368,41 @@
/* loop through the whole file */
cur = 0;
- while (1) {
+ lineno = 0;
+ while (cur < bufsize) {
count = buf_get_line(buf, bufsize, cur);
-
- strncpy(line, buf + cur, count);
- line[count] = '\0';
- temp = line;
-
+ bufline = &buf[cur];
cur += count+1;
- if (cur > bufsize)
- break;
-
- dbg_parse("read '%s'", temp);
+ lineno++;
- /* eat the whitespace at the beginning of the line */
- while (isspace(*temp))
- ++temp;
+ if (count >= LINE_SIZE) {
+ info("line too long, rule skipped %s, line %d",
+ filename, lineno);
+ continue;
+ }
/* empty line? */
- if ((*temp = '\0') || (*temp = '\n'))
+ if (bufline[0] = '\0' || bufline[0] = '\n')
continue;
+ /* eat the whitespace */
+ while (isspace(bufline[0])) {
+ bufline++;
+ count--;
+ }
+
/* see if this is a comment */
- if (*temp = COMMENT_CHARACTER)
+ if (bufline[0] = COMMENT_CHARACTER)
continue;
- memset(&dev, 0x00, sizeof(dev));
+ strncpy(line, bufline, count);
+ line[count] = '\0';
+ dbg_parse("read '%s'", line);
/* parse the line */
+ memset(&dev, 0x00, sizeof(struct perm_device));
+ temp = line;
+
temp2 = strsep(&temp, ":");
if (!temp2) {
dbg("cannot parse line '%s'", line);
diff -Nru a/udev.h b/udev.h
--- a/udev.h 2004-07-10 01:59:10.000000000 +0800
+++ b/udev.h 2004-09-05 17:41:34.000000000 +0800
@@ -37,6 +37,8 @@
#define DEVPATH_SIZE 255
#define SUBSYSTEM_SIZE 30
+#define LINE_SIZE 256
+
/* length of public data */
#define UDEVICE_LEN (offsetof(struct udevice, bus_id))
diff -Nru a/udev_config.c b/udev_config.c
--- a/udev_config.c 2004-07-10 01:59:09.000000000 +0800
+++ b/udev_config.c 2004-09-06 01:26:57.346047520 +0800
@@ -127,7 +127,8 @@
static int parse_config_file(void)
{
- char line[255];
+ char line[LINE_SIZE];
+ char *bufline;
char *temp;
char *variable;
char *value;
@@ -148,32 +149,37 @@
/* loop through the whole file */
lineno = 0;
cur = 0;
- while (1) {
+ while (cur < bufsize) {
count = buf_get_line(buf, bufsize, cur);
-
- strncpy(line, buf + cur, count);
- line[count] = '\0';
- temp = line;
- lineno++;
-
+ bufline = &buf[cur];
cur += count+1;
- if (cur > bufsize)
- break;
-
- dbg_parse("read '%s'", temp);
+ lineno++;
- /* eat the whitespace at the beginning of the line */
- while (isspace(*temp))
- ++temp;
+ if (count >= LINE_SIZE) {
+ info("line too long, conf line skipped %s, line %d",
+ udev_config_filename, lineno);
+ continue;
+ }
/* empty line? */
- if (*temp = 0x00)
+ if (bufline[0] = '\0' || bufline[0] = '\n')
continue;
+ /* eat the whitespace */
+ while (isspace(bufline[0])) {
+ bufline++;
+ count--;
+ }
+
/* see if this is a comment */
- if (*temp = COMMENT_CHARACTER)
+ if (bufline[0] = COMMENT_CHARACTER)
continue;
+ strncpy(line, bufline, count);
+ line[count] = '\0';
+ temp = line;
+ dbg_parse("read '%s'", temp);
+
retval = parse_get_pair(&temp, &variable, &value);
if (retval != 0)
info("%s:%d:%Zd: error parsing '%s'",
-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_idP47&alloc_id\x10808&op=click
_______________________________________________
Linux-hotplug-devel mailing list http://linux-hotplug.sourceforge.net
Linux-hotplug-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel
next prev parent reply other threads:[~2004-09-05 18:28 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-09-04 17:08 [PATCH] udev - read long lines from config files overflow fix Arun Bhanu
2004-09-04 21:12 ` Kay Sievers
2004-09-05 18:28 ` Arun Bhanu [this message]
2004-09-05 18:51 ` Kay Sievers
2004-09-10 20:03 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20040905182811.GA12371@spock.enterprise \
--to=arun@codemovers.org \
--cc=linux-hotplug@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.