[PATCH] symlink name and possible overflow in create_node()

[PATCH] symlink name and possible overflow in create_node()

[Olaf Hering]

the filename array might overflow if I interpret the strncat man page correctly.

Why does a symlink look like './foo' instead of just 'foo'?

--- ./udev-add.c~       2004-02-16 22:58:24.000000000 +0100
+++ ./udev-add.c        2004-02-17 19:56:56.000000000 +0100
@@ -146,7 +146,7 @@ static int create_node(struct udevice *d
        int tail;

        strncpy(filename, udev_root, sizeof(filename));
-       strncat(filename, dev->name, sizeof(filename));
+       strncat(filename, dev->name, sizeof(filename) - strlen(filename));

        switch (dev->type) {
        case 'b':
@@ -247,8 +247,6 @@ static int create_node(struct udevice *d
                                i++;
                        }

-                       if (linktarget[0] = '\0')
-                               strcpy(linktarget, "./");
                        strcat(linktarget, &dev->name[tail]);

                        /* unlink existing files to ensure that our symlink is created */

-- 
USB is for mice, FireWire is for men!

sUse lINUX ag, n√úRNBERG


-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id\x1356&alloc_id438&op=click
_______________________________________________
Linux-hotplug-devel mailing list  http://linux-hotplug.sourceforge.net
Linux-hotplug-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel

Re: [PATCH] symlink name and possible overflow in create_node()

[Johannes Erdfelt]

On Tue, Feb 17, 2004, Olaf Hering <olh@suse.de> wrote:
> the filename array might overflow if I interpret the strncat man page correctly.
> 
> --- ./udev-add.c~       2004-02-16 22:58:24.000000000 +0100
> +++ ./udev-add.c        2004-02-17 19:56:56.000000000 +0100
> @@ -146,7 +146,7 @@ static int create_node(struct udevice *d
>         int tail;
> 
>         strncpy(filename, udev_root, sizeof(filename));
> -       strncat(filename, dev->name, sizeof(filename));
> +       strncat(filename, dev->name, sizeof(filename) - strlen(filename));
> 
>         switch (dev->type) {
>         case 'b':

strncpy/strncat don't null terminate strings if it hits the maximum
size. Looks like all of those calls need some code explicitly null
terminate the strings as well.

	strncpy(filename, udev_root, sizeof(filename));
	filename[sizeof(filename) - 1] = 0;
	strncat(filename, dev->name, sizeof(filename) - strlen(filename));
	filename[sizeof(filename) - 1] = 0;

Otherwise, it could cause strange behaviour when the strings are
actually used.

JE



-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id\x1356&alloc_id438&op=click
_______________________________________________
Linux-hotplug-devel mailing list  http://linux-hotplug.sourceforge.net
Linux-hotplug-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel

Re: [PATCH] symlink name and possible overflow in create_node()

[Kay Sievers]

On Tue, Feb 17, 2004 at 11:22:21AM -0800, Johannes Erdfelt wrote:
> On Tue, Feb 17, 2004, Olaf Hering <olh@suse.de> wrote:
> > the filename array might overflow if I interpret the strncat man page correctly.
> > 
> > --- ./udev-add.c~       2004-02-16 22:58:24.000000000 +0100
> > +++ ./udev-add.c        2004-02-17 19:56:56.000000000 +0100
> > @@ -146,7 +146,7 @@ static int create_node(struct udevice *d
> >         int tail;
> > 
> >         strncpy(filename, udev_root, sizeof(filename));
> > -       strncat(filename, dev->name, sizeof(filename));
> > +       strncat(filename, dev->name, sizeof(filename) - strlen(filename));
> > 
> >         switch (dev->type) {
> >         case 'b':
> 
> strncpy/strncat don't null terminate strings if it hits the maximum
> size. Looks like all of those calls need some code explicitly null
> terminate the strings as well.

Oh, we have strfieldcpy() for this.
Maybe we should have strfieldcat() too.

Anyone, who wants to send a patch? :)

thanks,
Kay


-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id\x1356&alloc_id438&op=click
_______________________________________________
Linux-hotplug-devel mailing list  http://linux-hotplug.sourceforge.net
Linux-hotplug-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel

Re: [PATCH] symlink name and possible overflow in create_node()

[John L. Fjellstad]

[-- Attachment #1: Type: text/plain, Size: 457 bytes --]

On Tue, Feb 17, 2004 at 08:47:04PM +0100, Kay Sievers wrote:
> Oh, we have strfieldcpy() for this.
> Maybe we should have strfieldcat() too.
> 
> Anyone, who wants to send a patch? :)

Andrey Borzenkov has that function in his include multiple
udev.rules patch.

-- 
John
email: john@fjellstad.org               Quis custodiet ipsos custodes
Yahoo Messenger: jfjellstad
MSN Messenger: liemfjellstad@hotmail.com
web: http://www.fjellstad.org/

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [PATCH] symlink name and possible overflow in create_node()

[Kay Sievers]

On Wed, Feb 18, 2004 at 09:27:20AM +0100, John L. Fjellstad wrote:
> On Tue, Feb 17, 2004 at 08:47:04PM +0100, Kay Sievers wrote:
> > Oh, we have strfieldcpy() for this.
> > Maybe we should have strfieldcat() too.
> > 
> > Anyone, who wants to send a patch? :)
> 
> Andrey Borzenkov has that function in his include multiple
> udev.rules patch.

Oh, I meant a careful walk through the code and looking
for the string processing issues and not missing a simple function.

And the task is still unassigned :)

thanks,
Kay



-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id\x1356&alloc_id438&op=click
_______________________________________________
Linux-hotplug-devel mailing list  http://linux-hotplug.sourceforge.net
Linux-hotplug-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel

Re: [PATCH] symlink name and possible overflow in create_node()

[John L. Fjellstad]

[-- Attachment #1: Type: text/plain, Size: 426 bytes --]

On Wed, Feb 18, 2004 at 11:08:54AM +0100, Kay Sievers wrote:
 
> Oh, I meant a careful walk through the code and looking
> for the string processing issues and not missing a simple function.
> 
> And the task is still unassigned :)

I can take a look at it, and see if I can't come up with any (if
necessary) by Friday.

-- 
John L. Fjellstad
web: http://www.fjellstad.org/          Quis custodiet ipsos custodes

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 197 bytes --]