From mboxrd@z Thu Jan 1 00:00:00 1970 From: Kay Sievers Date: Sat, 04 Sep 2004 21:12:38 +0000 Subject: Re: [PATCH] udev - read long lines from config files overflow fix Message-Id: <20040904211238.GA32386@vrfy.org> MIME-Version: 1 Content-Type: multipart/mixed; boundary="azLHFNyN32YCQGCU" List-Id: References: <20040904170854.GA12270@spock.enterprise> In-Reply-To: <20040904170854.GA12270@spock.enterprise> To: linux-hotplug@vger.kernel.org --azLHFNyN32YCQGCU Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Sun, Sep 05, 2004 at 01:08:54AM +0800, Arun Bhanu wrote: > A line containing more than 255 characters in any of the config files - > *.rules, *.permissions or udev.conf - causes udevstart to segfault while > reading them. To reproduce, put a comment line longer than 255 > characters in any of the above files. > > The following patch against udev-030 fixes it. Cool, a real bug :) Thanks, for the patch. I think it would be better to skip lenghth exceeding lines instead of cutting it and continue. While looking at it I restructured the buffer reading logic a bit and fixed another stupid bug. o Lines with a exceeding length are skipped. o we now skip empty lines, comment lines and leading whitespace before we copy over our line string to parse. o Fix for another bug. If we don't find any valuable key in a line, we need to skip this line completely and not assume that this is a ignore rule. o Send line parsing errors to log, as nobody will ever notice it without recompilation of udev Thanks, Kay --azLHFNyN32YCQGCU Content-Type: text/plain; charset=us-ascii Content-Disposition: inline; filename="udev-line-bug-01.patch" ===== klibc_fixups.c 1.10 vs edited ===== --- 1.10/klibc_fixups.c 2004-05-21 06:12:37 +02:00 +++ edited/klibc_fixups.c 2004-09-04 23:03:30 +02:00 @@ -41,8 +41,9 @@ static unsigned long get_id_by_name(const char *uname, const char *dbfile) { unsigned long id = -1; - char line[255]; + char line[LINE_SIZE]; char *buf; + char *bufline; size_t bufsize; size_t cur; size_t count; @@ -59,18 +60,18 @@ static unsigned long get_id_by_name(cons } /* loop through the whole file */ - cur = 0; - while (1) { + while (cur < bufsize) { count = buf_get_line(buf, bufsize, cur); + bufline = &buf[cur]; + cur += count+1; + + if (count >= LINE_SIZE) + continue; - strncpy(line, buf + cur, count); + strncpy(line, bufline, count); line[count] = '\0'; pos = line; - - cur += count+1; - if (cur > bufsize) - break; /* get name */ name = strsep(&pos, ":"); ===== namedev_parse.c 1.34 vs edited ===== --- 1.34/namedev_parse.c 2004-03-25 14:10:52 +01:00 +++ edited/namedev_parse.c 2004-09-04 22:24:14 +02:00 @@ -58,7 +58,7 @@ void dump_config_dev(struct config_devic { dbg_parse("name='%s', symlink='%s', bus='%s', place='%s', id='%s', " "sysfs_file[0]='%s', sysfs_value[0]='%s', " - "kernel='%s', program='%s', result='%s'", + "kernel='%s', program='%s', result='%s'" "owner='%s', group='%s', mode=%#o", dev->name, dev->symlink, dev->bus, dev->place, dev->id, dev->sysfs_pair[0].file, dev->sysfs_pair[0].value, @@ -144,7 +144,8 @@ static char *get_key_attribute(char *str static int namedev_parse_rules(char *filename) { - char line[255]; + char line[LINE_SIZE]; + char *bufline; int lineno; char *temp; char *temp2; @@ -155,6 +156,7 @@ static int namedev_parse_rules(char *fil size_t cur; size_t count; int program_given = 0; + int valid; int retval = 0; struct config_device dev; @@ -168,35 +170,39 @@ static int namedev_parse_rules(char *fil /* loop through the whole file */ cur = 0; lineno = 0; - while (1) { + while (cur < bufsize) { count = buf_get_line(buf, bufsize, cur); - - strncpy(line, buf + cur, count); - line[count] = '\0'; - temp = line; - lineno++; - + bufline = &buf[cur]; cur += count+1; - if (cur > bufsize) - break; - - dbg_parse("read '%s'", temp); + lineno++; - /* eat the whitespace */ - while (isspace(*temp)) - ++temp; + if (count >= LINE_SIZE) { + info("line too long, rule skipped %s, line %d", + filename, lineno); + continue; + } /* empty line? */ - if ((*temp == '\0') || (*temp == '\n')) + if (bufline[0] == '\0' || bufline[0] == '\n') continue; + /* eat the whitespace */ + while (isspace(bufline[0])) + bufline++; + /* see if this is a comment */ - if (*temp == COMMENT_CHARACTER) + if (bufline[0] == COMMENT_CHARACTER) continue; - memset(&dev, 0x00, sizeof(struct config_device)); + strncpy(line, bufline, count); + line[count] = '\0'; + dbg_parse("read '%s'", line); /* get all known keys */ + memset(&dev, 0x00, sizeof(struct config_device)); + temp = line; + valid = 0; + while (1) { retval = parse_get_pair(&temp, &temp2, &temp3); if (retval) @@ -204,16 +210,19 @@ static int namedev_parse_rules(char *fil if (strcasecmp(temp2, FIELD_BUS) == 0) { strfieldcpy(dev.bus, temp3); + valid = 1; continue; } if (strcasecmp(temp2, FIELD_ID) == 0) { strfieldcpy(dev.id, temp3); + valid = 1; continue; } if (strcasecmp(temp2, FIELD_PLACE) == 0) { strfieldcpy(dev.place, temp3); + valid = 1; continue; } @@ -238,54 +247,62 @@ static int namedev_parse_rules(char *fil } strfieldcpy(pair->file, attr); strfieldcpy(pair->value, temp3); + valid = 1; } continue; } if (strcasecmp(temp2, FIELD_KERNEL) == 0) { strfieldcpy(dev.kernel, temp3); + valid = 1; continue; } if (strcasecmp(temp2, FIELD_PROGRAM) == 0) { program_given = 1; strfieldcpy(dev.program, temp3); + valid = 1; continue; } if (strcasecmp(temp2, FIELD_RESULT) == 0) { strfieldcpy(dev.result, temp3); + valid = 1; continue; } if (strncasecmp(temp2, FIELD_NAME, sizeof(FIELD_NAME)-1) == 0) { attr = get_key_attribute(temp2 + sizeof(FIELD_NAME)-1); - if (attr != NULL) - if (strcasecmp(attr, ATTR_PARTITIONS) == 0) { + if (attr != NULL && strcasecmp(attr, ATTR_PARTITIONS) == 0) { dbg_parse("creation of partition nodes requested"); dev.partitions = PARTITIONS_COUNT; } strfieldcpy(dev.name, temp3); + valid = 1; continue; } if (strcasecmp(temp2, FIELD_SYMLINK) == 0) { strfieldcpy(dev.symlink, temp3); + valid = 1; continue; } if (strcasecmp(temp2, FIELD_OWNER) == 0) { strfieldcpy(dev.owner, temp3); + valid = 1; continue; } if (strcasecmp(temp2, FIELD_GROUP) == 0) { strfieldcpy(dev.group, temp3); + valid = 1; continue; } if (strcasecmp(temp2, FIELD_MODE) == 0) { dev.mode = strtol(temp3, NULL, 8); + valid = 1; continue; } @@ -293,16 +310,20 @@ static int namedev_parse_rules(char *fil goto error; } + /* skip line if not any valid key was found */ + if (!valid) + goto error; + /* simple plausibility checks for given keys */ if ((dev.sysfs_pair[0].file[0] == '\0') ^ (dev.sysfs_pair[0].value[0] == '\0')) { - dbg("inconsistency in " FIELD_SYSFS " key"); + info("inconsistency in " FIELD_SYSFS " key"); goto error; } if ((dev.result[0] != '\0') && (program_given == 0)) { - dbg(FIELD_RESULT " is only useful when " - FIELD_PROGRAM " is called in any rule before"); + info(FIELD_RESULT " is only useful when " + FIELD_PROGRAM " is called in any rule before"); goto error; } @@ -313,8 +334,8 @@ static int namedev_parse_rules(char *fil dbg("add_config_dev returned with error %d", retval); continue; error: - dbg("%s:%d:%d: parse error, rule skipped", - filename, lineno, temp - line); + info("parse error %s, line %d:%d, rule skipped", + filename, lineno, temp - line); } } @@ -324,7 +345,8 @@ error: static int namedev_parse_permissions(char *filename) { - char line[255]; + char line[LINE_SIZE]; + char *bufline; char *temp; char *temp2; char *buf; @@ -333,6 +355,7 @@ static int namedev_parse_permissions(cha size_t count; int retval = 0; struct perm_device dev; + int lineno; if (file_map(filename, &buf, &bufsize) == 0) { dbg("reading '%s' as permissions file", filename); @@ -343,34 +366,39 @@ static int namedev_parse_permissions(cha /* loop through the whole file */ cur = 0; - while (1) { + lineno = 0; + while (cur < bufsize) { count = buf_get_line(buf, bufsize, cur); - - strncpy(line, buf + cur, count); - line[count] = '\0'; - temp = line; - + bufline = &buf[cur]; cur += count+1; - if (cur > bufsize) - break; - - dbg_parse("read '%s'", temp); + lineno++; - /* eat the whitespace at the beginning of the line */ - while (isspace(*temp)) - ++temp; + if (count >= LINE_SIZE) { + info("line too long, rule skipped %s, line %d", + filename, lineno); + continue; + } /* empty line? */ - if ((*temp == '\0') || (*temp == '\n')) + if (bufline[0] == '\0' || bufline[0] == '\n') continue; + /* eat the whitespace */ + while (isspace(bufline[0])) + bufline++; + /* see if this is a comment */ - if (*temp == COMMENT_CHARACTER) + if (bufline[0] == COMMENT_CHARACTER) continue; - memset(&dev, 0x00, sizeof(dev)); + strncpy(line, bufline, count); + line[count] = '\0'; + dbg_parse("read '%s'", line); /* parse the line */ + memset(&dev, 0x00, sizeof(struct perm_device)); + temp = line; + temp2 = strsep(&temp, ":"); if (!temp2) { dbg("cannot parse line '%s'", line); ===== udev.h 1.58 vs edited ===== --- 1.58/udev.h 2004-08-05 00:43:58 +02:00 +++ edited/udev.h 2004-09-04 19:30:25 +02:00 @@ -37,6 +37,8 @@ #define DEVPATH_SIZE 255 #define SUBSYSTEM_SIZE 30 +#define LINE_SIZE 256 + /* length of public data */ #define UDEVICE_LEN (offsetof(struct udevice, bus_id)) --azLHFNyN32YCQGCU-- ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click _______________________________________________ Linux-hotplug-devel mailing list http://linux-hotplug.sourceforge.net Linux-hotplug-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel