[Bluez-devel] [PATCH] Fix infinite loops in textfile.c

[Bluez-devel] [PATCH] Fix infinite loops in textfile.c

[Ville Nuorvala]

[-- Attachment #1: Type: text/plain, Size: 573 bytes --]

Hi,

both textfile_put() and textfile_get() go into inifinite loops if a 
string matching the search key is found anywhere except at the beginning 
of a line.

Both functions may also get false positive matches if the search key 
forms a substring of some other key in the same file.

The attached patch fixes both problems, but I can split it up into two 
separate parts if you wish.

Regards,
Ville
-- 
Ville Nuorvala
Research Assistant,
Laboratory for Theoretical Computer Science,
Helsinki University of Technology
email: vnuorval@tcs.hut.fi, phone: +358 (0)9 451 5257

[-- Attachment #2: infinite_loop.patch --]
[-- Type: text/x-patch, Size: 1710 bytes --]

Index: common/textfile.c
===================================================================
RCS file: /cvsroot/bluez/utils/common/textfile.c,v
retrieving revision 1.7
diff -u -r1.7 textfile.c
--- common/textfile.c	7 Sep 2005 17:31:56 -0000	1.7
+++ common/textfile.c	9 Sep 2005 15:31:10 -0000
@@ -113,6 +113,15 @@
 	return err;
 }
 
+static inline char *find_key(char *map, char *key, size_t len)
+{
+	char *off = strstr(map, key);
+
+	while (off && ((off > map && *(off - 1) != '\r' && *(off - 1) != '\n') || *(off + len) != ' '))
+		off = strstr(off + len, key);
+	return off;
+}
+
 int textfile_put(char *pathname, char *key, char *value)
 {
 	struct stat st;
@@ -148,7 +157,7 @@
 		goto unlock;
 	}
 
-	off = strstr(map, key);
+	off = find_key(map, key, strlen(key));
 	if (!off) {
 		munmap(map, size);
 		pos = lseek(fd, size, SEEK_SET);
@@ -156,18 +165,6 @@
 		goto unlock;
 	}
 
-	if (off > map) {
-		while (*(off - 1) != '\r' && *(off - 1) != '\n') {
-			off = strstr(off, key);
-			if (!off) {
-				munmap(map, size);
-				pos = lseek(fd, size, SEEK_SET);
-				err = write_key_value(fd, key, value);
-				goto unlock;
-			}
-		}
-	}
-
 	base = off - map;
 
 	end = strpbrk(off, "\r\n");
@@ -254,29 +251,19 @@
 		goto unlock;
 	}
 
-	off = strstr(map, key);
+	len = strlen(key);
+	off = find_key(map, key, len);
 	if (!off) {
 		err = EILSEQ;
 		goto unmap;
 	}
 
-	if (off > map) {
-		while (*(off - 1) != '\r' && *(off - 1) != '\n') {
-			off = strstr(off, key);
-			if (!off) {
-				err = EILSEQ;
-				goto unmap;
-			}
-		}
-	}
-
 	end = strpbrk(off, "\r\n");
 	if (!end) {
 		err = EILSEQ;
 		goto unmap;
 	}
 
-	len = strlen(key);
 	str = malloc(end - off - len);
 	if (!str) {
 		err = EILSEQ;

Re: [Bluez-devel] [PATCH] Fix infinite loops in textfile.c

[Marcel Holtmann]

Hi Ville,

> both textfile_put() and textfile_get() go into inifinite loops if a 
> string matching the search key is found anywhere except at the beginning 
> of a line.
> 
> Both functions may also get false positive matches if the search key 
> forms a substring of some other key in the same file.
> 
> The attached patch fixes both problems, but I can split it up into two 
> separate parts if you wish.

no need to split it. Thanks for the patch. I applied it.

What do you think about writing some regression tests for the textfile
library?

Regards

Marcel




-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Bluez-devel mailing list
Bluez-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bluez-devel