[PATCH 2/3] udev_rules_apply_format(): don't overflow the buffer when

linux-hotplug.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH 2/3] udev_rules_apply_format(): don't overflow the buffer when
@ 2007-02-01 15:06 Sergey Vlasov
  2007-02-01 17:18 ` [PATCH 2/3] udev_rules_apply_format(): don't overflow the buffer Kay Sievers
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Sergey Vlasov @ 2007-02-01 15:06 UTC (permalink / raw)
  To: linux-hotplug

When truncating the substitution string to the length specified in the
format string, head[len] = '\0' could write outside the buffer if that
length was too large.

Signed-off-by: Sergey Vlasov <vsu@altlinux.ru>
---
 udev_rules.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/udev_rules.c b/udev_rules.c
index 44b41e9..90a83e5 100644
--- a/udev_rules.c
+++ b/udev_rules.c
@@ -558,7 +558,7 @@ found:
 			break;
 		}
 		/* possibly truncate to format-char specified length */
-		if (len != -1) {
+		if (len >= 0 && (size_t)len < maxsize - (head-string)) {
 			head[len] = '\0';
 			dbg("truncate to %i chars, subtitution string becomes '%s'", len, head);
 		}
-- 
1.5.0.rc2.gd894fb


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid\x120709&bid&3057&dat\x121642
_______________________________________________
Linux-hotplug-devel mailing list  http://linux-hotplug.sourceforge.net
Linux-hotplug-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH 2/3] udev_rules_apply_format(): don't overflow the buffer
  2007-02-01 15:06 [PATCH 2/3] udev_rules_apply_format(): don't overflow the buffer when Sergey Vlasov
@ 2007-02-01 17:18 ` Kay Sievers
  2007-02-01 19:09 ` Sergey Vlasov
  2007-02-01 19:26 ` [PATCH 2/3] udev_rules_apply_format(): don't overflow the Kay Sievers
  2 siblings, 0 replies; 4+ messages in thread
From: Kay Sievers @ 2007-02-01 17:18 UTC (permalink / raw)
  To: linux-hotplug

On 2/1/07, Sergey Vlasov <vsu@altlinux.ru> wrote:
> When truncating the substitution string to the length specified in the
> format string, head[len] = '\0' could write outside the buffer if that
> length was too large.
>
> Signed-off-by: Sergey Vlasov <vsu@altlinux.ru>
> ---
>  udev_rules.c |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/udev_rules.c b/udev_rules.c
> index 44b41e9..90a83e5 100644
> --- a/udev_rules.c
> +++ b/udev_rules.c
> @@ -558,7 +558,7 @@ found:
>                         break;
>                 }
>                 /* possibly truncate to format-char specified length */
> -               if (len != -1) {
> +               if (len >= 0 && (size_t)len < maxsize - (head-string)) {

Yeah, that should be fixed. Wouldn't:
  if (len >= 0 && len <= strlen(head))
also catch strings which fit in the buffer, but are shorter than the
specified limit?

Thanks,
Kay

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid\x120709&bid&3057&dat\x121642
_______________________________________________
Linux-hotplug-devel mailing list  http://linux-hotplug.sourceforge.net
Linux-hotplug-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH 2/3] udev_rules_apply_format(): don't overflow the buffer
  2007-02-01 15:06 [PATCH 2/3] udev_rules_apply_format(): don't overflow the buffer when Sergey Vlasov
  2007-02-01 17:18 ` [PATCH 2/3] udev_rules_apply_format(): don't overflow the buffer Kay Sievers
@ 2007-02-01 19:09 ` Sergey Vlasov
  2007-02-01 19:26 ` [PATCH 2/3] udev_rules_apply_format(): don't overflow the Kay Sievers
  2 siblings, 0 replies; 4+ messages in thread
From: Sergey Vlasov @ 2007-02-01 19:09 UTC (permalink / raw)
  To: linux-hotplug


[-- Attachment #1.1: Type: text/plain, Size: 1232 bytes --]

On Thu, Feb 01, 2007 at 06:18:16PM +0100, Kay Sievers wrote:
> On 2/1/07, Sergey Vlasov <vsu@altlinux.ru> wrote:
> >When truncating the substitution string to the length specified in the
> >format string, head[len] = '\0' could write outside the buffer if that
> >length was too large.
> >
> >Signed-off-by: Sergey Vlasov <vsu@altlinux.ru>
> >---
> > udev_rules.c |    2 +-
> > 1 files changed, 1 insertions(+), 1 deletions(-)
> >
> >diff --git a/udev_rules.c b/udev_rules.c
> >index 44b41e9..90a83e5 100644
> >--- a/udev_rules.c
> >+++ b/udev_rules.c
> >@@ -558,7 +558,7 @@ found:
> >                        break;
> >                }
> >                /* possibly truncate to format-char specified length */
> >-               if (len != -1) {
> >+               if (len >= 0 && (size_t)len < maxsize - (head-string)) {
> 
> Yeah, that should be fixed. Wouldn't:
>  if (len >= 0 && len <= strlen(head))
> also catch strings which fit in the buffer, but are shorter than the
> specified limit?

Yes, this should work properly too (or even "&& len < strlen(head)" to
skip writing '\0' over itself).  Working in constant time is probably
not an issue here, given the number of strlcat() calls around.

[-- Attachment #1.2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

[-- Attachment #2: Type: text/plain, Size: 374 bytes --]

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

[-- Attachment #3: Type: text/plain, Size: 226 bytes --]

_______________________________________________
Linux-hotplug-devel mailing list  http://linux-hotplug.sourceforge.net
Linux-hotplug-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH 2/3] udev_rules_apply_format(): don't overflow the
  2007-02-01 15:06 [PATCH 2/3] udev_rules_apply_format(): don't overflow the buffer when Sergey Vlasov
  2007-02-01 17:18 ` [PATCH 2/3] udev_rules_apply_format(): don't overflow the buffer Kay Sievers
  2007-02-01 19:09 ` Sergey Vlasov
@ 2007-02-01 19:26 ` Kay Sievers
  2 siblings, 0 replies; 4+ messages in thread
From: Kay Sievers @ 2007-02-01 19:26 UTC (permalink / raw)
  To: linux-hotplug

On Thu, 2007-02-01 at 22:09 +0300, Sergey Vlasov wrote:
> On Thu, Feb 01, 2007 at 06:18:16PM +0100, Kay Sievers wrote:
> > On 2/1/07, Sergey Vlasov <vsu@altlinux.ru> wrote:
> > >When truncating the substitution string to the length specified in the
> > >format string, head[len] = '\0' could write outside the buffer if that
> > >length was too large.
> > >
> > >Signed-off-by: Sergey Vlasov <vsu@altlinux.ru>
> > >---
> > > udev_rules.c |    2 +-
> > > 1 files changed, 1 insertions(+), 1 deletions(-)
> > >
> > >diff --git a/udev_rules.c b/udev_rules.c
> > >index 44b41e9..90a83e5 100644
> > >--- a/udev_rules.c
> > >+++ b/udev_rules.c
> > >@@ -558,7 +558,7 @@ found:
> > >                        break;
> > >                }
> > >                /* possibly truncate to format-char specified length */
> > >-               if (len != -1) {
> > >+               if (len >= 0 && (size_t)len < maxsize - (head-string)) {
> > 
> > Yeah, that should be fixed. Wouldn't:
> >  if (len >= 0 && len <= strlen(head))
> > also catch strings which fit in the buffer, but are shorter than the
> > specified limit?
> 
> Yes, this should work properly too (or even "&& len < strlen(head)" to
> skip writing '\0' over itself).  Working in constant time is probably
> not an issue here, given the number of strlcat() calls around.

I've applied this together with the other patch, which logs an error for
unknown substitutions.

Thanks a lot,
Kay


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid\x120709&bid&3057&dat\x121642
_______________________________________________
Linux-hotplug-devel mailing list  http://linux-hotplug.sourceforge.net
Linux-hotplug-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2007-02-01 19:26 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-02-01 15:06 [PATCH 2/3] udev_rules_apply_format(): don't overflow the buffer when Sergey Vlasov
2007-02-01 17:18 ` [PATCH 2/3] udev_rules_apply_format(): don't overflow the buffer Kay Sievers
2007-02-01 19:09 ` Sergey Vlasov
2007-02-01 19:26 ` [PATCH 2/3] udev_rules_apply_format(): don't overflow the Kay Sievers

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).