From: Christophe Fergeau <cfergeau@redhat.com>
To: qemu-devel@nongnu.org
Subject: [Qemu-devel] [PATCHv2 2/4] libcacard: fix soft=... parsing in vcard_emul_options
Date: Mon, 27 Jun 2011 17:27:37 +0200 [thread overview]
Message-ID: <1309188459-806-3-git-send-email-cfergeau@redhat.com> (raw)
In-Reply-To: <1309188459-806-1-git-send-email-cfergeau@redhat.com>
The previous parser had copy and paste errors when computing
vname_length and type_params_length, "name" was used instead
of respectively vname and type_params. This led to length that could
be bigger than the input string, and to access out of the array
bounds when trying to copy these strings. valgrind rightfully
complained about this. It also didn't handle empty fields correctly,
Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
---
libcacard/vcard_emul_nss.c | 45 +++++++++++++++++++++++++++----------------
1 files changed, 28 insertions(+), 17 deletions(-)
diff --git a/libcacard/vcard_emul_nss.c b/libcacard/vcard_emul_nss.c
index 184252f..9271f58 100644
--- a/libcacard/vcard_emul_nss.c
+++ b/libcacard/vcard_emul_nss.c
@@ -980,8 +980,6 @@ vcard_emul_options(const char *args)
{
int reader_count = 0;
VCardEmulOptions *opts;
- char type_str[100];
- int type_len;
/* Allow the future use of allocating the options structure on the fly */
memcpy(&options, &default_options, sizeof(options));
@@ -996,18 +994,24 @@ vcard_emul_options(const char *args)
* cert_2,cert_3...) */
if (strncmp(args, "soft=", 5) == 0) {
const char *name;
+ size_t name_length;
const char *vname;
+ size_t vname_length;
const char *type_params;
+ size_t type_params_length;
+ char type_str[100];
VCardEmulType type;
- int name_length, vname_length, type_params_length, count, i;
+ int count, i;
VirtualReaderOptions *vreaderOpt = NULL;
args = strip(args + 5);
if (*args != '(') {
continue;
}
+ args = strip(args+1);
+
name = args;
- args = strpbrk(args + 1, ",)");
+ args = strpbrk(args, ",)");
if (*args == 0) {
break;
}
@@ -1015,10 +1019,11 @@ vcard_emul_options(const char *args)
args++;
continue;
}
+ name_length = args - name;
args = strip(args+1);
- name_length = args - name - 2;
+
vname = args;
- args = strpbrk(args + 1, ",)");
+ args = strpbrk(args, ",)");
if (*args == 0) {
break;
}
@@ -1026,13 +1031,10 @@ vcard_emul_options(const char *args)
args++;
continue;
}
- vname_length = args - name - 2;
+ vname_length = args - vname;
args = strip(args+1);
- type_len = strpbrk(args, ",)") - args;
- assert(sizeof(type_str) > type_len);
- strncpy(type_str, args, type_len);
- type_str[type_len] = 0;
- type = vcard_emul_type_from_string(type_str);
+
+ type_params = args;
args = strpbrk(args, ",)");
if (*args == 0) {
break;
@@ -1041,9 +1043,16 @@ vcard_emul_options(const char *args)
args++;
continue;
}
+ type_params_length = args - type_params;
args = strip(args+1);
+
+ type_params_length = MIN(type_params_length, sizeof(type_str)-1);
+ strncpy(type_str, type_params, type_params_length);
+ type_str[type_params_length] = 0;
+ type = vcard_emul_type_from_string(type_str);
+
type_params = args;
- args = strpbrk(args + 1, ",)");
+ args = strpbrk(args, ",)");
if (*args == 0) {
break;
}
@@ -1051,8 +1060,9 @@ vcard_emul_options(const char *args)
args++;
continue;
}
- type_params_length = args - name;
+ type_params_length = args - type_params;
args = strip(args+1);
+
if (*args == 0) {
break;
}
@@ -1072,13 +1082,14 @@ vcard_emul_options(const char *args)
vreaderOpt->card_type = type;
vreaderOpt->type_params =
copy_string(type_params, type_params_length);
- count = count_tokens(args, ',', ')');
+ count = count_tokens(args, ',', ')') + 1;
vreaderOpt->cert_count = count;
vreaderOpt->cert_name = (char **)qemu_malloc(count*sizeof(char *));
for (i = 0; i < count; i++) {
- const char *cert = args + 1;
- args = strpbrk(args + 1, ",)");
+ const char *cert = args;
+ args = strpbrk(args, ",)");
vreaderOpt->cert_name[i] = copy_string(cert, args - cert);
+ args = strip(args+1);
}
if (*args == ')') {
args++;
--
1.7.5.4
next prev parent reply other threads:[~2011-06-27 15:27 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-06-24 14:37 [Qemu-devel] [PATCH 1/2] libcacard: fix soft=... parsing in vcard_emul_options Christophe Fergeau
2011-06-24 14:37 ` [Qemu-devel] [PATCH 2/2] libcacard: replace copy_string with strndup Christophe Fergeau
2011-06-24 14:52 ` Alon Levy
2011-06-24 16:51 ` [Qemu-devel] [PATCH 1/2] libcacard: fix soft=... parsing in vcard_emul_options Alon Levy
2011-06-27 12:13 ` Christophe Fergeau
2011-06-27 15:27 ` [Qemu-devel] [PATCHv2 0/4] libcacard fixes Christophe Fergeau
2011-06-27 15:27 ` [Qemu-devel] [PATCHv2 1/4] libcacard: s/strip(args++)/strip(args+1) Christophe Fergeau
2011-06-27 15:27 ` Christophe Fergeau [this message]
2011-06-27 15:27 ` [Qemu-devel] [PATCHv2 3/4] libcacard: introduce NEXT_TOKEN macro Christophe Fergeau
2011-06-27 15:27 ` [Qemu-devel] [PATCHv2 4/4] libcacard: replace copy_string with strndup Christophe Fergeau
2011-06-27 19:57 ` [Qemu-devel] [PATCHv2 0/4] libcacard fixes Alon Levy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1309188459-806-3-git-send-email-cfergeau@redhat.com \
--to=cfergeau@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).