From: Kay Sievers <kay.sievers@vrfy.org>
To: linux-hotplug@vger.kernel.org
Subject: Re: [PATCH] udev - read long lines from config files overflow fix
Date: Sat, 04 Sep 2004 21:12:38 +0000 [thread overview]
Message-ID: <20040904211238.GA32386@vrfy.org> (raw)
In-Reply-To: <20040904170854.GA12270@spock.enterprise>
[-- Attachment #1: Type: text/plain, Size: 1027 bytes --]
On Sun, Sep 05, 2004 at 01:08:54AM +0800, Arun Bhanu wrote:
> A line containing more than 255 characters in any of the config files -
> *.rules, *.permissions or udev.conf - causes udevstart to segfault while
> reading them. To reproduce, put a comment line longer than 255
> characters in any of the above files.
>
> The following patch against udev-030 fixes it.
Cool, a real bug :)
Thanks, for the patch. I think it would be better to skip lenghth exceeding
lines instead of cutting it and continue. While looking at it I restructured
the buffer reading logic a bit and fixed another stupid bug.
o Lines with a exceeding length are skipped.
o we now skip empty lines, comment lines and leading whitespace before
we copy over our line string to parse.
o Fix for another bug. If we don't find any valuable key in a line, we
need to skip this line completely and not assume that this is a ignore
rule.
o Send line parsing errors to log, as nobody will ever notice it without
recompilation of udev
Thanks,
Kay
[-- Attachment #2: udev-line-bug-01.patch --]
[-- Type: text/plain, Size: 8190 bytes --]
===== klibc_fixups.c 1.10 vs edited =====
--- 1.10/klibc_fixups.c 2004-05-21 06:12:37 +02:00
+++ edited/klibc_fixups.c 2004-09-04 23:03:30 +02:00
@@ -41,8 +41,9 @@
static unsigned long get_id_by_name(const char *uname, const char *dbfile)
{
unsigned long id = -1;
- char line[255];
+ char line[LINE_SIZE];
char *buf;
+ char *bufline;
size_t bufsize;
size_t cur;
size_t count;
@@ -59,18 +60,18 @@ static unsigned long get_id_by_name(cons
}
/* loop through the whole file */
-
cur = 0;
- while (1) {
+ while (cur < bufsize) {
count = buf_get_line(buf, bufsize, cur);
+ bufline = &buf[cur];
+ cur += count+1;
+
+ if (count >= LINE_SIZE)
+ continue;
- strncpy(line, buf + cur, count);
+ strncpy(line, bufline, count);
line[count] = '\0';
pos = line;
-
- cur += count+1;
- if (cur > bufsize)
- break;
/* get name */
name = strsep(&pos, ":");
===== namedev_parse.c 1.34 vs edited =====
--- 1.34/namedev_parse.c 2004-03-25 14:10:52 +01:00
+++ edited/namedev_parse.c 2004-09-04 22:24:14 +02:00
@@ -58,7 +58,7 @@ void dump_config_dev(struct config_devic
{
dbg_parse("name='%s', symlink='%s', bus='%s', place='%s', id='%s', "
"sysfs_file[0]='%s', sysfs_value[0]='%s', "
- "kernel='%s', program='%s', result='%s'",
+ "kernel='%s', program='%s', result='%s'"
"owner='%s', group='%s', mode=%#o",
dev->name, dev->symlink, dev->bus, dev->place, dev->id,
dev->sysfs_pair[0].file, dev->sysfs_pair[0].value,
@@ -144,7 +144,8 @@ static char *get_key_attribute(char *str
static int namedev_parse_rules(char *filename)
{
- char line[255];
+ char line[LINE_SIZE];
+ char *bufline;
int lineno;
char *temp;
char *temp2;
@@ -155,6 +156,7 @@ static int namedev_parse_rules(char *fil
size_t cur;
size_t count;
int program_given = 0;
+ int valid;
int retval = 0;
struct config_device dev;
@@ -168,35 +170,39 @@ static int namedev_parse_rules(char *fil
/* loop through the whole file */
cur = 0;
lineno = 0;
- while (1) {
+ while (cur < bufsize) {
count = buf_get_line(buf, bufsize, cur);
-
- strncpy(line, buf + cur, count);
- line[count] = '\0';
- temp = line;
- lineno++;
-
+ bufline = &buf[cur];
cur += count+1;
- if (cur > bufsize)
- break;
-
- dbg_parse("read '%s'", temp);
+ lineno++;
- /* eat the whitespace */
- while (isspace(*temp))
- ++temp;
+ if (count >= LINE_SIZE) {
+ info("line too long, rule skipped %s, line %d",
+ filename, lineno);
+ continue;
+ }
/* empty line? */
- if ((*temp == '\0') || (*temp == '\n'))
+ if (bufline[0] == '\0' || bufline[0] == '\n')
continue;
+ /* eat the whitespace */
+ while (isspace(bufline[0]))
+ bufline++;
+
/* see if this is a comment */
- if (*temp == COMMENT_CHARACTER)
+ if (bufline[0] == COMMENT_CHARACTER)
continue;
- memset(&dev, 0x00, sizeof(struct config_device));
+ strncpy(line, bufline, count);
+ line[count] = '\0';
+ dbg_parse("read '%s'", line);
/* get all known keys */
+ memset(&dev, 0x00, sizeof(struct config_device));
+ temp = line;
+ valid = 0;
+
while (1) {
retval = parse_get_pair(&temp, &temp2, &temp3);
if (retval)
@@ -204,16 +210,19 @@ static int namedev_parse_rules(char *fil
if (strcasecmp(temp2, FIELD_BUS) == 0) {
strfieldcpy(dev.bus, temp3);
+ valid = 1;
continue;
}
if (strcasecmp(temp2, FIELD_ID) == 0) {
strfieldcpy(dev.id, temp3);
+ valid = 1;
continue;
}
if (strcasecmp(temp2, FIELD_PLACE) == 0) {
strfieldcpy(dev.place, temp3);
+ valid = 1;
continue;
}
@@ -238,54 +247,62 @@ static int namedev_parse_rules(char *fil
}
strfieldcpy(pair->file, attr);
strfieldcpy(pair->value, temp3);
+ valid = 1;
}
continue;
}
if (strcasecmp(temp2, FIELD_KERNEL) == 0) {
strfieldcpy(dev.kernel, temp3);
+ valid = 1;
continue;
}
if (strcasecmp(temp2, FIELD_PROGRAM) == 0) {
program_given = 1;
strfieldcpy(dev.program, temp3);
+ valid = 1;
continue;
}
if (strcasecmp(temp2, FIELD_RESULT) == 0) {
strfieldcpy(dev.result, temp3);
+ valid = 1;
continue;
}
if (strncasecmp(temp2, FIELD_NAME, sizeof(FIELD_NAME)-1) == 0) {
attr = get_key_attribute(temp2 + sizeof(FIELD_NAME)-1);
- if (attr != NULL)
- if (strcasecmp(attr, ATTR_PARTITIONS) == 0) {
+ if (attr != NULL && strcasecmp(attr, ATTR_PARTITIONS) == 0) {
dbg_parse("creation of partition nodes requested");
dev.partitions = PARTITIONS_COUNT;
}
strfieldcpy(dev.name, temp3);
+ valid = 1;
continue;
}
if (strcasecmp(temp2, FIELD_SYMLINK) == 0) {
strfieldcpy(dev.symlink, temp3);
+ valid = 1;
continue;
}
if (strcasecmp(temp2, FIELD_OWNER) == 0) {
strfieldcpy(dev.owner, temp3);
+ valid = 1;
continue;
}
if (strcasecmp(temp2, FIELD_GROUP) == 0) {
strfieldcpy(dev.group, temp3);
+ valid = 1;
continue;
}
if (strcasecmp(temp2, FIELD_MODE) == 0) {
dev.mode = strtol(temp3, NULL, 8);
+ valid = 1;
continue;
}
@@ -293,16 +310,20 @@ static int namedev_parse_rules(char *fil
goto error;
}
+ /* skip line if not any valid key was found */
+ if (!valid)
+ goto error;
+
/* simple plausibility checks for given keys */
if ((dev.sysfs_pair[0].file[0] == '\0') ^
(dev.sysfs_pair[0].value[0] == '\0')) {
- dbg("inconsistency in " FIELD_SYSFS " key");
+ info("inconsistency in " FIELD_SYSFS " key");
goto error;
}
if ((dev.result[0] != '\0') && (program_given == 0)) {
- dbg(FIELD_RESULT " is only useful when "
- FIELD_PROGRAM " is called in any rule before");
+ info(FIELD_RESULT " is only useful when "
+ FIELD_PROGRAM " is called in any rule before");
goto error;
}
@@ -313,8 +334,8 @@ static int namedev_parse_rules(char *fil
dbg("add_config_dev returned with error %d", retval);
continue;
error:
- dbg("%s:%d:%d: parse error, rule skipped",
- filename, lineno, temp - line);
+ info("parse error %s, line %d:%d, rule skipped",
+ filename, lineno, temp - line);
}
}
@@ -324,7 +345,8 @@ error:
static int namedev_parse_permissions(char *filename)
{
- char line[255];
+ char line[LINE_SIZE];
+ char *bufline;
char *temp;
char *temp2;
char *buf;
@@ -333,6 +355,7 @@ static int namedev_parse_permissions(cha
size_t count;
int retval = 0;
struct perm_device dev;
+ int lineno;
if (file_map(filename, &buf, &bufsize) == 0) {
dbg("reading '%s' as permissions file", filename);
@@ -343,34 +366,39 @@ static int namedev_parse_permissions(cha
/* loop through the whole file */
cur = 0;
- while (1) {
+ lineno = 0;
+ while (cur < bufsize) {
count = buf_get_line(buf, bufsize, cur);
-
- strncpy(line, buf + cur, count);
- line[count] = '\0';
- temp = line;
-
+ bufline = &buf[cur];
cur += count+1;
- if (cur > bufsize)
- break;
-
- dbg_parse("read '%s'", temp);
+ lineno++;
- /* eat the whitespace at the beginning of the line */
- while (isspace(*temp))
- ++temp;
+ if (count >= LINE_SIZE) {
+ info("line too long, rule skipped %s, line %d",
+ filename, lineno);
+ continue;
+ }
/* empty line? */
- if ((*temp == '\0') || (*temp == '\n'))
+ if (bufline[0] == '\0' || bufline[0] == '\n')
continue;
+ /* eat the whitespace */
+ while (isspace(bufline[0]))
+ bufline++;
+
/* see if this is a comment */
- if (*temp == COMMENT_CHARACTER)
+ if (bufline[0] == COMMENT_CHARACTER)
continue;
- memset(&dev, 0x00, sizeof(dev));
+ strncpy(line, bufline, count);
+ line[count] = '\0';
+ dbg_parse("read '%s'", line);
/* parse the line */
+ memset(&dev, 0x00, sizeof(struct perm_device));
+ temp = line;
+
temp2 = strsep(&temp, ":");
if (!temp2) {
dbg("cannot parse line '%s'", line);
===== udev.h 1.58 vs edited =====
--- 1.58/udev.h 2004-08-05 00:43:58 +02:00
+++ edited/udev.h 2004-09-04 19:30:25 +02:00
@@ -37,6 +37,8 @@
#define DEVPATH_SIZE 255
#define SUBSYSTEM_SIZE 30
+#define LINE_SIZE 256
+
/* length of public data */
#define UDEVICE_LEN (offsetof(struct udevice, bus_id))
next prev parent reply other threads:[~2004-09-04 21:12 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-09-04 17:08 [PATCH] udev - read long lines from config files overflow fix Arun Bhanu
2004-09-04 21:12 ` Kay Sievers [this message]
2004-09-05 18:28 ` Arun Bhanu
2004-09-05 18:51 ` Kay Sievers
2004-09-10 20:03 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20040904211238.GA32386@vrfy.org \
--to=kay.sievers@vrfy.org \
--cc=linux-hotplug@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).