d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

config(8): "fix" a couple of buffer overflows

Browse Source 
Recently added/changed lines in various kernel configs have caused some
buffer overflows that went undetected. These were detected with a config
built using -fno-common as these line buffers smashed one of our arrays,
then further triaged with ASAN.

Double the sizes; this is really not a great fix, but addresses the
immediate need until someone rewrites config. While here, add some bounds
checking so that we don't need to detect this by random bus errors or other
weird failures.

MFC after:	3 days
This commit is contained in:
Kyle Evans 2020-04-07 14:14:59 +00:00
parent ed648b3f39
commit 610acef538
1 changed files with 24 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
usr.sbin/config/main.c
View File

@ -322,7 +322,7 @@ usage(void)
char *
get_word(FILE *fp)
{
static char line[80];
static char line[160];
int ch;
char *cp;
int escaped_nl = 0;
@ -352,11 +352,17 @@ get_word(FILE *fp)
*cp = 0;
return (line);
}
while ((ch = getc(fp)) != EOF) {
while ((ch = getc(fp)) != EOF && cp < line + sizeof(line)) {
if (isspace(ch))
break;
*cp++ = ch;
}
if (cp >= line + sizeof(line)) {
line[sizeof(line) - 1] = '\0';
fprintf(stderr, "config: attempted overflow, partial line: `%s'",
line);
exit(2);
}
*cp = 0;
if (ch == EOF)
return ((char *)EOF);
@ -372,7 +378,7 @@ get_word(FILE *fp)
char *
get_quoted_word(FILE *fp)
{
static char line[256];
static char line[512];
int ch;
char *cp;
int escaped_nl = 0;
@ -415,16 +421,30 @@ get_quoted_word(FILE *fp)
}
if (ch != quote && escaped_nl)
*cp++ = '\\';
if (cp >= line + sizeof(line)) {
line[sizeof(line) - 1] = '\0';
printf(
"config: line buffer overflow reading partial line `%s'\n",
line);
exit(2);
}
*cp++ = ch;
escaped_nl = 0;
}
} else {
*cp++ = ch;
while ((ch = getc(fp)) != EOF) {
while ((ch = getc(fp)) != EOF && cp < line + sizeof(line)) {
if (isspace(ch))
break;
*cp++ = ch;
}
if (cp >= line + sizeof(line)) {
line[sizeof(line) - 1] = '\0';
printf(
"config: line buffer overflow reading partial line `%s'\n",
line);
exit(2);
}
if (ch != EOF)
(void) ungetc(ch, fp);
}