From mboxrd@z Thu Jan  1 00:00:00 1970
From: Stephen Hemminger <stephen@networkplumber.org>
Subject: [PATCH] ss: fix crash with invalid command input file
Date: Mon, 18 Dec 2017 09:52:21 -0800
Message-ID: <20171218175221.26449-1-stephen@networkplumber.org>
Cc: Stephen Hemminger <stephen@networkplumber.org>,
        Stephen Hemminger <sthemmin@microsoft.com>
To: netdev@vger.kernel.org
Return-path: <netdev-owner@vger.kernel.org>
Received: from mail-pl0-f68.google.com ([209.85.160.68]:39334 "EHLO
        mail-pl0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S934505AbdLRRw1 (ORCPT
        <rfc822;netdev@vger.kernel.org>); Mon, 18 Dec 2017 12:52:27 -0500
Received: by mail-pl0-f68.google.com with SMTP id bi12so5258722plb.6
        for <netdev@vger.kernel.org>; Mon, 18 Dec 2017 09:52:27 -0800 (PST)
Sender: netdev-owner@vger.kernel.org
List-ID: <netdev.vger.kernel.org>

If given an invalid input file with -F flag, ss would crash.
Examples of invalid input are line to long, or null file.

Signed-off-by: Stephen Hemminger <sthemmin@microsoft.com>
---
 misc/ssfilter.y | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/misc/ssfilter.y b/misc/ssfilter.y
index ba82b65f712b..4db3c95faa3c 100644
--- a/misc/ssfilter.y
+++ b/misc/ssfilter.y
@@ -202,15 +202,23 @@ int yylex(void)
 				argc++;
 			} else if (yy_fp) {
 				while (tokptr == NULL) {
-					if (fgets(argbuf, sizeof(argbuf)-1, yy_fp) == NULL)
+					size_t len;
+
+					if (fgets(argbuf, sizeof(argbuf), yy_fp) == NULL)
 						return 0;
-					argbuf[sizeof(argbuf)-1] = 0;
-					if (strlen(argbuf) == sizeof(argbuf) - 1) {
-						fprintf(stderr, "Too long line in filter");
+
+					len = strnlen(argbuf, sizeof(argbuf));
+					if (len == 0) {
+						fprintf(stderr, "Invalid line\n");
+						exit(-1);
+					}
+
+					if (len >= sizeof(argbuf) - 1) {
+						fprintf(stderr, "Too long line in filter\n");
 						exit(-1);
 					}
-					if (argbuf[strlen(argbuf)-1] == '\n')
-						argbuf[strlen(argbuf)-1] = 0;
+					if (argbuf[len - 1] == '\n')
+						argbuf[len-1] = 0;
 					if (argbuf[0] == '#' || argbuf[0] == '0')
 						continue;
 					tokptr = argbuf;
-- 
2.11.0