potential buffer overruns in env_* routines

This commit is contained in:
David van Moolenbroek 2009-05-10 16:54:37 +00:00
parent e08b38a5c4
commit a2485b346c
4 changed files with 13 additions and 10 deletions

View file

@ -44,7 +44,7 @@ int max_len; /* maximum length of value */
if (argv[i][keylen] != '=') if (argv[i][keylen] != '=')
continue; continue;
key_value= argv[i]+keylen+1; key_value= argv[i]+keylen+1;
if (strlen(key_value)+1 > EP_BUF_SIZE) if (strlen(key_value)+1 > max_len)
return(E2BIG); return(E2BIG);
strcpy(value, key_value); strcpy(value, key_value);
return OK; return OK;
@ -65,11 +65,14 @@ int max_len; /* maximum length of value */
if ((key_value = find_key(mon_params, key)) == NULL) if ((key_value = find_key(mon_params, key)) == NULL)
return(ESRCH); return(ESRCH);
/* Value found, make the actual copy (as far as possible). */ /* Value found, see if it fits in the client's buffer. Callers assume that
strncpy(value, key_value, max_len); * their buffer is unchanged on error, so don't make a partial copy.
*/
/* See if it fits in the client's buffer. */
if ((strlen(key_value)+1) > max_len) return(E2BIG); if ((strlen(key_value)+1) > max_len) return(E2BIG);
/* Make the actual copy. */
strcpy(value, key_value);
return(OK); return(OK);
} }

View file

@ -11,7 +11,7 @@ char *key; /* environment variable whose value is bogus */
int s; int s;
if ((s=env_get_param(key, value, sizeof(value))) == 0) { if ((s=env_get_param(key, value, sizeof(value))) == 0) {
if (s != ESRCH) /* only error allowed */ if (s != ESRCH) /* only error allowed */
printf("WARNING: get_mon_param() failed in env_panic(): %d\n", s); printf("WARNING: env_get_param() failed in env_panic(): %d\n", s);
} }
printf("Bad environment setting: '%s = %s'\n", key, value); printf("Bad environment setting: '%s = %s'\n", key, value);
panic("","", NO_NUM); panic("","", NO_NUM);

View file

@ -34,7 +34,7 @@ long min, max; /* minimum and maximum values for the parameter */
if ((s=env_get_param(env, value, sizeof(value))) != 0) { if ((s=env_get_param(env, value, sizeof(value))) != 0) {
if (s == ESRCH) return(EP_UNSET); /* only error allowed */ if (s == ESRCH) return(EP_UNSET); /* only error allowed */
printf("WARNING: get_mon_param() failed in env_parse(): %d\n",s); printf("WARNING: env_get_param() failed in env_parse(): %d\n",s);
return(EP_EGETKENV); return(EP_EGETKENV);
} }
val = value; val = value;

View file

@ -19,11 +19,11 @@ char *prefix; /* prefix to test for */
if ((s = env_get_param(env, value, sizeof(value))) != 0) { if ((s = env_get_param(env, value, sizeof(value))) != 0) {
if (s != ESRCH) /* only error allowed */ if (s != ESRCH) /* only error allowed */
printf("WARNING: get_mon_param() failed in env_prefix(): %d\n", s); printf("WARNING: env_get_param() failed in env_prefix(): %d\n", s);
return FALSE;
} }
n = strlen(prefix); n = strlen(prefix);
return(value != NULL return(strncmp(value, prefix, n) == 0
&& strncmp(value, prefix, n) == 0
&& strchr(punct, value[n]) != NULL); && strchr(punct, value[n]) != NULL);
} }