From 3dd7649ae7640da730285633f8fc4dfc98197bd1 Mon Sep 17 00:00:00 2001 From: Ben Gras Date: Wed, 20 Jul 2011 17:36:21 +0200 Subject: [PATCH] RS: fix bug that overflows r_argv[] . reported and debugged by Arne Welzel . problem is if there are too many args . there is a check, but then unconditional NULL termination --- servers/rs/manager.c | 8 +++++++- servers/rs/type.h | 3 ++- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/servers/rs/manager.c b/servers/rs/manager.c index 5efc25904..7f0c57ee8 100644 --- a/servers/rs/manager.c +++ b/servers/rs/manager.c @@ -181,11 +181,17 @@ PUBLIC void build_cmd_dep(struct rproc *rp) *cmd_ptr = '\0'; /* terminate previous */ while (*++cmd_ptr == ' ') ; /* skip spaces */ if (*cmd_ptr == '\0') break; /* no arg following */ - if (arg_count>MAX_NR_ARGS+1) break; /* arg vector full */ + /* There are ARGV_ELEMENTS elements; must leave one for null */ + if (arg_count>=ARGV_ELEMENTS-1) { /* arg vector full */ + printf("RS: build_cmd_dep: too many args\n"); + break; + } + assert(arg_count < ARGV_ELEMENTS); rp->r_argv[arg_count++] = cmd_ptr; /* add to arg vector */ } cmd_ptr ++; /* continue parsing */ } + assert(arg_count < ARGV_ELEMENTS); rp->r_argv[arg_count] = NULL; /* end with NULL pointer */ rp->r_argc = arg_count; diff --git a/servers/rs/type.h b/servers/rs/type.h index 8deb541e1..378f26198 100644 --- a/servers/rs/type.h +++ b/servers/rs/type.h @@ -50,7 +50,8 @@ struct rproc { char r_cmd[MAX_COMMAND_LEN]; /* raw command plus arguments */ char r_args[MAX_COMMAND_LEN]; /* null-separated raw command plus arguments */ - char *r_argv[MAX_NR_ARGS+2]; /* parsed arguments vector */ +#define ARGV_ELEMENTS (MAX_NR_ARGS+2) /* path, args, null */ + char *r_argv[ARGV_ELEMENTS]; int r_argc; /* number of arguments */ char r_script[MAX_SCRIPT_LEN]; /* name of the restart script executable */