potential buffer overruns in env_* routines
This commit is contained in:
parent
e08b38a5c4
commit
a2485b346c
4 changed files with 13 additions and 10 deletions
|
@ -44,7 +44,7 @@ int max_len; /* maximum length of value */
|
||||||
if (argv[i][keylen] != '=')
|
if (argv[i][keylen] != '=')
|
||||||
continue;
|
continue;
|
||||||
key_value= argv[i]+keylen+1;
|
key_value= argv[i]+keylen+1;
|
||||||
if (strlen(key_value)+1 > EP_BUF_SIZE)
|
if (strlen(key_value)+1 > max_len)
|
||||||
return(E2BIG);
|
return(E2BIG);
|
||||||
strcpy(value, key_value);
|
strcpy(value, key_value);
|
||||||
return OK;
|
return OK;
|
||||||
|
@ -65,11 +65,14 @@ int max_len; /* maximum length of value */
|
||||||
if ((key_value = find_key(mon_params, key)) == NULL)
|
if ((key_value = find_key(mon_params, key)) == NULL)
|
||||||
return(ESRCH);
|
return(ESRCH);
|
||||||
|
|
||||||
/* Value found, make the actual copy (as far as possible). */
|
/* Value found, see if it fits in the client's buffer. Callers assume that
|
||||||
strncpy(value, key_value, max_len);
|
* their buffer is unchanged on error, so don't make a partial copy.
|
||||||
|
*/
|
||||||
/* See if it fits in the client's buffer. */
|
|
||||||
if ((strlen(key_value)+1) > max_len) return(E2BIG);
|
if ((strlen(key_value)+1) > max_len) return(E2BIG);
|
||||||
|
|
||||||
|
/* Make the actual copy. */
|
||||||
|
strcpy(value, key_value);
|
||||||
|
|
||||||
return(OK);
|
return(OK);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -11,7 +11,7 @@ char *key; /* environment variable whose value is bogus */
|
||||||
int s;
|
int s;
|
||||||
if ((s=env_get_param(key, value, sizeof(value))) == 0) {
|
if ((s=env_get_param(key, value, sizeof(value))) == 0) {
|
||||||
if (s != ESRCH) /* only error allowed */
|
if (s != ESRCH) /* only error allowed */
|
||||||
printf("WARNING: get_mon_param() failed in env_panic(): %d\n", s);
|
printf("WARNING: env_get_param() failed in env_panic(): %d\n", s);
|
||||||
}
|
}
|
||||||
printf("Bad environment setting: '%s = %s'\n", key, value);
|
printf("Bad environment setting: '%s = %s'\n", key, value);
|
||||||
panic("","", NO_NUM);
|
panic("","", NO_NUM);
|
||||||
|
|
|
@ -34,7 +34,7 @@ long min, max; /* minimum and maximum values for the parameter */
|
||||||
|
|
||||||
if ((s=env_get_param(env, value, sizeof(value))) != 0) {
|
if ((s=env_get_param(env, value, sizeof(value))) != 0) {
|
||||||
if (s == ESRCH) return(EP_UNSET); /* only error allowed */
|
if (s == ESRCH) return(EP_UNSET); /* only error allowed */
|
||||||
printf("WARNING: get_mon_param() failed in env_parse(): %d\n",s);
|
printf("WARNING: env_get_param() failed in env_parse(): %d\n",s);
|
||||||
return(EP_EGETKENV);
|
return(EP_EGETKENV);
|
||||||
}
|
}
|
||||||
val = value;
|
val = value;
|
||||||
|
|
|
@ -19,11 +19,11 @@ char *prefix; /* prefix to test for */
|
||||||
|
|
||||||
if ((s = env_get_param(env, value, sizeof(value))) != 0) {
|
if ((s = env_get_param(env, value, sizeof(value))) != 0) {
|
||||||
if (s != ESRCH) /* only error allowed */
|
if (s != ESRCH) /* only error allowed */
|
||||||
printf("WARNING: get_mon_param() failed in env_prefix(): %d\n", s);
|
printf("WARNING: env_get_param() failed in env_prefix(): %d\n", s);
|
||||||
|
return FALSE;
|
||||||
}
|
}
|
||||||
n = strlen(prefix);
|
n = strlen(prefix);
|
||||||
return(value != NULL
|
return(strncmp(value, prefix, n) == 0
|
||||||
&& strncmp(value, prefix, n) == 0
|
|
||||||
&& strchr(punct, value[n]) != NULL);
|
&& strchr(punct, value[n]) != NULL);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue