From: Arun Bhanu <arun@codemovers.org>
To: linux-hotplug@vger.kernel.org
Subject: Re: [PATCH] udev - read long lines from config files overflow fix
Date: Sun, 05 Sep 2004 18:28:11 +0000 [thread overview]
Message-ID: <20040905182811.GA12371@spock.enterprise> (raw)
In-Reply-To: <20040904170854.GA12270@spock.enterprise>
Hi Kay,
On 23:12 Sat 04 Sep , Kay Sievers wrote:
> Cool, a real bug :)
> Thanks, for the patch. I think it would be better to skip lenghth exceeding
> lines instead of cutting it and continue. While looking at it I restructured
> the buffer reading logic a bit and fixed another stupid bug.
Thanks for the cleanup.
You may have overlooked the fix for udev_config.c(parsing udev.conf) in
your patch. So, I've adapted the fixes you applied to namedev_parse.c
to this file also.
Also, while 'eating' the whitespace the 'count' doesn't get decremented.
This leads strncpy to copy the number of whitespace minus 1 characters
from the next line. Minus 1 because it copies '\n' from the current
line.
while (isspace(bufline[0])) {
bufline++;
+ count--;
}
.
.
.
strncpy(line, bufline, count);
Included patch(against udev-030) contains the above fixes as well as
your fixes.
--Arun
Signed-off-by: Arun Bhanu <arun@codemovers.org>
diff -Nru a/klibc_fixups.c b/klibc_fixups.c
--- a/klibc_fixups.c 2004-07-10 01:59:09.000000000 +0800
+++ b/klibc_fixups.c 2004-09-05 17:41:34.000000000 +0800
@@ -41,8 +41,9 @@
static unsigned long get_id_by_name(const char *uname, const char *dbfile)
{
unsigned long id = -1;
- char line[255];
+ char line[LINE_SIZE];
char *buf;
+ char *bufline;
size_t bufsize;
size_t cur;
size_t count;
@@ -59,19 +60,19 @@
}
/* loop through the whole file */
-
cur = 0;
- while (1) {
+ while (cur < bufsize) {
count = buf_get_line(buf, bufsize, cur);
+ bufline = &buf[cur];
+ cur += count+1;
+
+ if (count >= LINE_SIZE)
+ continue;
- strncpy(line, buf + cur, count);
+ strncpy(line, bufline, count);
line[count] = '\0';
pos = line;
- cur += count+1;
- if (cur > bufsize)
- break;
-
/* get name */
name = strsep(&pos, ":");
if (name = NULL)
diff -Nru a/namedev_parse.c b/namedev_parse.c
--- a/namedev_parse.c 2004-07-10 01:59:09.000000000 +0800
+++ b/namedev_parse.c 2004-09-06 01:26:25.153941464 +0800
@@ -58,7 +58,7 @@
{
dbg_parse("name='%s', symlink='%s', bus='%s', place='%s', id='%s', "
"sysfs_file[0]='%s', sysfs_value[0]='%s', "
- "kernel='%s', program='%s', result='%s'",
+ "kernel='%s', program='%s', result='%s'"
"owner='%s', group='%s', mode=%#o",
dev->name, dev->symlink, dev->bus, dev->place, dev->id,
dev->sysfs_pair[0].file, dev->sysfs_pair[0].value,
@@ -144,7 +144,8 @@
static int namedev_parse_rules(char *filename)
{
- char line[255];
+ char line[LINE_SIZE];
+ char *bufline;
int lineno;
char *temp;
char *temp2;
@@ -155,6 +156,7 @@
size_t cur;
size_t count;
int program_given = 0;
+ int valid;
int retval = 0;
struct config_device dev;
@@ -168,35 +170,41 @@
/* loop through the whole file */
cur = 0;
lineno = 0;
- while (1) {
+ while (cur < bufsize) {
count = buf_get_line(buf, bufsize, cur);
-
- strncpy(line, buf + cur, count);
- line[count] = '\0';
- temp = line;
- lineno++;
-
+ bufline = &buf[cur];
cur += count+1;
- if (cur > bufsize)
- break;
-
- dbg_parse("read '%s'", temp);
+ lineno++;
- /* eat the whitespace */
- while (isspace(*temp))
- ++temp;
+ if (count >= LINE_SIZE) {
+ info("line too long, rule skipped %s, line %d",
+ filename, lineno);
+ continue;
+ }
/* empty line? */
- if ((*temp = '\0') || (*temp = '\n'))
+ if (bufline[0] = '\0' || bufline[0] = '\n')
continue;
+ /* eat the whitespace */
+ while (isspace(bufline[0])) {
+ bufline++;
+ count--;
+ }
+
/* see if this is a comment */
- if (*temp = COMMENT_CHARACTER)
+ if (bufline[0] = COMMENT_CHARACTER)
continue;
- memset(&dev, 0x00, sizeof(struct config_device));
+ strncpy(line, bufline, count);
+ line[count] = '\0';
+ dbg_parse("read '%s'", line);
/* get all known keys */
+ memset(&dev, 0x00, sizeof(struct config_device));
+ temp = line;
+ valid = 0;
+
while (1) {
retval = parse_get_pair(&temp, &temp2, &temp3);
if (retval)
@@ -204,16 +212,19 @@
if (strcasecmp(temp2, FIELD_BUS) = 0) {
strfieldcpy(dev.bus, temp3);
+ valid = 1;
continue;
}
if (strcasecmp(temp2, FIELD_ID) = 0) {
strfieldcpy(dev.id, temp3);
+ valid = 1;
continue;
}
if (strcasecmp(temp2, FIELD_PLACE) = 0) {
strfieldcpy(dev.place, temp3);
+ valid = 1;
continue;
}
@@ -238,54 +249,62 @@
}
strfieldcpy(pair->file, attr);
strfieldcpy(pair->value, temp3);
+ valid = 1;
}
continue;
}
if (strcasecmp(temp2, FIELD_KERNEL) = 0) {
strfieldcpy(dev.kernel, temp3);
+ valid = 1;
continue;
}
if (strcasecmp(temp2, FIELD_PROGRAM) = 0) {
program_given = 1;
strfieldcpy(dev.program, temp3);
+ valid = 1;
continue;
}
if (strcasecmp(temp2, FIELD_RESULT) = 0) {
strfieldcpy(dev.result, temp3);
+ valid = 1;
continue;
}
if (strncasecmp(temp2, FIELD_NAME, sizeof(FIELD_NAME)-1) = 0) {
attr = get_key_attribute(temp2 + sizeof(FIELD_NAME)-1);
- if (attr != NULL)
- if (strcasecmp(attr, ATTR_PARTITIONS) = 0) {
+ if (attr != NULL && strcasecmp(attr, ATTR_PARTITIONS) = 0) {
dbg_parse("creation of partition nodes requested");
dev.partitions = PARTITIONS_COUNT;
}
strfieldcpy(dev.name, temp3);
+ valid = 1;
continue;
}
if (strcasecmp(temp2, FIELD_SYMLINK) = 0) {
strfieldcpy(dev.symlink, temp3);
+ valid = 1;
continue;
}
if (strcasecmp(temp2, FIELD_OWNER) = 0) {
strfieldcpy(dev.owner, temp3);
+ valid = 1;
continue;
}
if (strcasecmp(temp2, FIELD_GROUP) = 0) {
strfieldcpy(dev.group, temp3);
+ valid = 1;
continue;
}
if (strcasecmp(temp2, FIELD_MODE) = 0) {
dev.mode = strtol(temp3, NULL, 8);
+ valid = 1;
continue;
}
@@ -293,16 +312,20 @@
goto error;
}
+ /* skip line if not any valid key was found */
+ if (!valid)
+ goto error;
+
/* simple plausibility checks for given keys */
if ((dev.sysfs_pair[0].file[0] = '\0') ^
(dev.sysfs_pair[0].value[0] = '\0')) {
- dbg("inconsistency in " FIELD_SYSFS " key");
+ info("inconsistency in " FIELD_SYSFS " key");
goto error;
}
if ((dev.result[0] != '\0') && (program_given = 0)) {
- dbg(FIELD_RESULT " is only useful when "
- FIELD_PROGRAM " is called in any rule before");
+ info(FIELD_RESULT " is only useful when "
+ FIELD_PROGRAM " is called in any rule before");
goto error;
}
@@ -313,8 +336,8 @@
dbg("add_config_dev returned with error %d", retval);
continue;
error:
- dbg("%s:%d:%d: parse error, rule skipped",
- filename, lineno, temp - line);
+ info("parse error %s, line %d:%d, rule skipped",
+ filename, lineno, temp - line);
}
}
@@ -324,7 +347,8 @@
static int namedev_parse_permissions(char *filename)
{
- char line[255];
+ char line[LINE_SIZE];
+ char *bufline;
char *temp;
char *temp2;
char *buf;
@@ -333,6 +357,7 @@
size_t count;
int retval = 0;
struct perm_device dev;
+ int lineno;
if (file_map(filename, &buf, &bufsize) = 0) {
dbg("reading '%s' as permissions file", filename);
@@ -343,34 +368,41 @@
/* loop through the whole file */
cur = 0;
- while (1) {
+ lineno = 0;
+ while (cur < bufsize) {
count = buf_get_line(buf, bufsize, cur);
-
- strncpy(line, buf + cur, count);
- line[count] = '\0';
- temp = line;
-
+ bufline = &buf[cur];
cur += count+1;
- if (cur > bufsize)
- break;
-
- dbg_parse("read '%s'", temp);
+ lineno++;
- /* eat the whitespace at the beginning of the line */
- while (isspace(*temp))
- ++temp;
+ if (count >= LINE_SIZE) {
+ info("line too long, rule skipped %s, line %d",
+ filename, lineno);
+ continue;
+ }
/* empty line? */
- if ((*temp = '\0') || (*temp = '\n'))
+ if (bufline[0] = '\0' || bufline[0] = '\n')
continue;
+ /* eat the whitespace */
+ while (isspace(bufline[0])) {
+ bufline++;
+ count--;
+ }
+
/* see if this is a comment */
- if (*temp = COMMENT_CHARACTER)
+ if (bufline[0] = COMMENT_CHARACTER)
continue;
- memset(&dev, 0x00, sizeof(dev));
+ strncpy(line, bufline, count);
+ line[count] = '\0';
+ dbg_parse("read '%s'", line);
/* parse the line */
+ memset(&dev, 0x00, sizeof(struct perm_device));
+ temp = line;
+
temp2 = strsep(&temp, ":");
if (!temp2) {
dbg("cannot parse line '%s'", line);
diff -Nru a/udev.h b/udev.h
--- a/udev.h 2004-07-10 01:59:10.000000000 +0800
+++ b/udev.h 2004-09-05 17:41:34.000000000 +0800
@@ -37,6 +37,8 @@
#define DEVPATH_SIZE 255
#define SUBSYSTEM_SIZE 30
+#define LINE_SIZE 256
+
/* length of public data */
#define UDEVICE_LEN (offsetof(struct udevice, bus_id))
diff -Nru a/udev_config.c b/udev_config.c
--- a/udev_config.c 2004-07-10 01:59:09.000000000 +0800
+++ b/udev_config.c 2004-09-06 01:26:57.346047520 +0800
@@ -127,7 +127,8 @@
static int parse_config_file(void)
{
- char line[255];
+ char line[LINE_SIZE];
+ char *bufline;
char *temp;
char *variable;
char *value;
@@ -148,32 +149,37 @@
/* loop through the whole file */
lineno = 0;
cur = 0;
- while (1) {
+ while (cur < bufsize) {
count = buf_get_line(buf, bufsize, cur);
-
- strncpy(line, buf + cur, count);
- line[count] = '\0';
- temp = line;
- lineno++;
-
+ bufline = &buf[cur];
cur += count+1;
- if (cur > bufsize)
- break;
-
- dbg_parse("read '%s'", temp);
+ lineno++;
- /* eat the whitespace at the beginning of the line */
- while (isspace(*temp))
- ++temp;
+ if (count >= LINE_SIZE) {
+ info("line too long, conf line skipped %s, line %d",
+ udev_config_filename, lineno);
+ continue;
+ }
/* empty line? */
- if (*temp = 0x00)
+ if (bufline[0] = '\0' || bufline[0] = '\n')
continue;
+ /* eat the whitespace */
+ while (isspace(bufline[0])) {
+ bufline++;
+ count--;
+ }
+
/* see if this is a comment */
- if (*temp = COMMENT_CHARACTER)
+ if (bufline[0] = COMMENT_CHARACTER)
continue;
+ strncpy(line, bufline, count);
+ line[count] = '\0';
+ temp = line;
+ dbg_parse("read '%s'", temp);
+
retval = parse_get_pair(&temp, &variable, &value);
if (retval != 0)
info("%s:%d:%Zd: error parsing '%s'",
-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_idP47&alloc_id\x10808&op=click
_______________________________________________
Linux-hotplug-devel mailing list http://linux-hotplug.sourceforge.net
Linux-hotplug-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel
next prev parent reply other threads:[~2004-09-05 18:28 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-09-04 17:08 [PATCH] udev - read long lines from config files overflow fix Arun Bhanu
2004-09-04 21:12 ` Kay Sievers
2004-09-05 18:28 ` Arun Bhanu [this message]
2004-09-05 18:51 ` Kay Sievers
2004-09-10 20:03 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20040905182811.GA12371@spock.enterprise \
--to=arun@codemovers.org \
--cc=linux-hotplug@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).