[PATCH] Fix crash while reading from mapped file

Linux bluetooth development
 help / color / mirror / Atom feed

From: Rafal Michalski <michalski.raf@gmail.com>
To: linux-bluetooth@vger.kernel.org
Cc: Rafal Michalski <michalski.raf@gmail.com>
Subject: [PATCH] Fix crash while reading from mapped file
Date: Fri, 10 Dec 2010 14:55:48 +0100	[thread overview]
Message-ID: <1291989348-3911-1-git-send-email-michalski.raf@gmail.com> (raw)

After opening file from /var/lib/bluetooth/<bt_addr>/ and mapping to
memory as it is done in "textfile_foreach" function in textfile.c,
it may crash when size of file is equal to page size
(or it's multiplicity) since "strpbrk" function operates on string
so it expects zero at the end of buffer ("mmap" function zeroes
remaining memory when mapped only for a file which size is not a
multiple of the page size, so in this case "strpbrk" function can't
find null terminating character and goes out of bounds).
This patch provide buffer which contains null terminating character to
avoid crash.
---
 src/textfile.c |   10 +++++++++-
 1 files changed, 9 insertions(+), 1 deletions(-)

diff --git a/src/textfile.c b/src/textfile.c
index 2429cc7..393efb8 100644
--- a/src/textfile.c
+++ b/src/textfile.c
@@ -376,7 +376,7 @@ char *textfile_caseget(const char *pathname, const char *key)
 int textfile_foreach(const char *pathname, textfile_cb func, void *data)
 {
 	struct stat st;
-	char *map, *off, *end, *key, *value;
+	char *map, *off, *end, *key, *value, *buffer = NULL;
 	off_t size; size_t len;
 	int fd, err = 0;
 
@@ -404,6 +404,13 @@ int textfile_foreach(const char *pathname, textfile_cb func, void *data)
 
 	off = map;
 
+	if (!(size % getpagesize())) {
+		buffer = malloc(size + 1);
+		memset(buffer, 0, size + 1);
+		memcpy(buffer, map, size);
+		off = buffer;
+	}
+
 	while (1) {
 		end = strpbrk(off, " ");
 		if (!end) {
@@ -458,6 +465,7 @@ unlock:
 
 close:
 	close(fd);
+	free(buffer);
 	errno = err;
 
 	return 0;
-- 
1.6.3.3

next             reply	other threads:[~2010-12-10 13:55 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-12-10 13:55 Rafal Michalski [this message]
2010-12-10 17:45 ` [PATCH] Fix crash while reading from mapped file Luiz Augusto von Dentz
2010-12-14 15:10   ` Lukasz Pawlik
2010-12-14 15:34     ` Johan Hedberg
2010-12-14 15:41       ` Bastien Nocera
2010-12-14 18:20         ` Lukasz Pawlik
2010-12-15 18:19           ` Anderson Lizardo
2010-12-16  9:28             ` Luiz Augusto von Dentz
2010-12-17  9:29               ` Luiz Augusto von Dentz
2010-12-17 13:25                 ` Luiz Augusto von Dentz

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:2429cc7 dfblob:393efb8 )
 OR (
bs:"[PATCH] Fix crash while reading from mapped file" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1291989348-3911-1-git-send-email-michalski.raf@gmail.com \
    --to=michalski.raf@gmail.com \
    --cc=linux-bluetooth@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox