RS: fix bug that overflows r_argv[]

. reported and debugged by Arne Welzel . problem is if there are too many args . there is a check, but then unconditional NULL termination
2011-07-20 17:36:21 +02:00 · 2011-07-20 17:36:21 +02:00 · 3dd7649ae7
parent 000a9d36be
commit 3dd7649ae7
2 changed files with 9 additions and 2 deletions
--- a/servers/rs/manager.c
+++ b/servers/rs/manager.c
@ -181,11 +181,17 @@ PUBLIC void build_cmd_dep(struct rproc *rp)
          *cmd_ptr = '\0';			/* terminate previous */
 	  while (*++cmd_ptr == ' ') ; 		/* skip spaces */
 	  if (*cmd_ptr == '\0') break;		/* no arg following */
-	  if (arg_count>MAX_NR_ARGS+1) break;	/* arg vector full */
+	  /* There are ARGV_ELEMENTS elements; must leave one for null */
+	  if (arg_count>=ARGV_ELEMENTS-1) {	/* arg vector full */
+		printf("RS: build_cmd_dep: too many args\n");
+	  	break;
+	  }
+	  assert(arg_count < ARGV_ELEMENTS);
          rp->r_argv[arg_count++] = cmd_ptr;	/* add to arg vector */
      }
      cmd_ptr ++;				/* continue parsing */
  }
+  assert(arg_count < ARGV_ELEMENTS);
  rp->r_argv[arg_count] = NULL;			/* end with NULL pointer */
  rp->r_argc = arg_count;
  
--- a/servers/rs/type.h
+++ b/servers/rs/type.h
@ -50,7 +50,8 @@ struct rproc {

  char r_cmd[MAX_COMMAND_LEN];	/* raw command plus arguments */
  char r_args[MAX_COMMAND_LEN];	/* null-separated raw command plus arguments */
-  char *r_argv[MAX_NR_ARGS+2];  /* parsed arguments vector */
+#define ARGV_ELEMENTS (MAX_NR_ARGS+2) /* path, args, null */
+  char *r_argv[ARGV_ELEMENTS];
  int r_argc;  			/* number of arguments */
  char r_script[MAX_SCRIPT_LEN]; /* name of the restart script executable */