diff options
| author | Jonathan Gray <jsg@cvs.openbsd.org> | 2024-10-05 01:07:39 +0000 |
|---|---|---|
| committer | Jonathan Gray <jsg@cvs.openbsd.org> | 2024-10-05 01:07:39 +0000 |
| commit | c6d898a30aa6e41fd7367fccecb753b1d82d036e (patch) | |
| tree | 27a9fa7de1a0cbdc2a761988709edb25eddbfe5b | |
| parent | 39e3ddf8f866f73ab51f149e424d1b29616684b9 (diff) | |
error on long locator lines, don't overflow buffers
found with afl, feedback and ok millert@
| -rw-r--r-- | usr.sbin/config/sem.c | 22 |
1 files changed, 16 insertions, 6 deletions
diff --git a/usr.sbin/config/sem.c b/usr.sbin/config/sem.c index b8b4b676c62..2f1c4e09324 100644 --- a/usr.sbin/config/sem.c +++ b/usr.sbin/config/sem.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sem.c,v 1.38 2021/11/28 19:26:03 deraadt Exp $ */ +/* $OpenBSD: sem.c,v 1.39 2024/10/05 01:07:38 jsg Exp $ */ /* $NetBSD: sem.c,v 1.10 1996/11/11 23:40:11 gwr Exp $ */ /* @@ -83,7 +83,7 @@ static int lresolve(struct nvlist **, const char *, const char *, static struct devi *newdevi(const char *, int, struct devbase *d); static struct devi *getdevi(const char *); static const char *concat(const char *, int); -static char *extend(char *, const char *); +static char *extend(char *, size_t, char *, const char *); static int split(const char *, size_t, char *, size_t, int *); static void selectbase(struct devbase *, struct deva *); static int onlist(struct nvlist *, void *); @@ -1061,11 +1061,20 @@ onlist(struct nvlist *nv, void *ptr) } static char * -extend(char *p, const char *name) +extend(char *dst, size_t dstsize, char *p, const char *name) { int l; + if (p < dst) + panic("extend invalid pointer"); + l = strlen(name); + + if (((p - dst) + l + 2) > dstsize) { + error("extend buffer length exceeded"); + exit(1); + } + bcopy(name, p, l); p += l; *p++ = ','; @@ -1112,7 +1121,7 @@ fixloc(const char *name, struct attr *attr, struct nvlist *got) } if (n == NULL && m->nv_int == 0) { nmissing++; - mp = extend(mp, m->nv_name); + mp = extend(missing, sizeof(missing), mp, m->nv_name); } lp[ord] = m->nv_str; } @@ -1129,11 +1138,12 @@ fixloc(const char *name, struct attr *attr, struct nvlist *got) lp[n->nv_int] = n->nv_str; else if (lp[n->nv_int] == NULL) { nnodefault++; - ndp = extend(ndp, n->nv_name); + ndp = extend(nodefault, sizeof(nodefault), ndp, + n->nv_name); } } else { nextra++; - ep = extend(ep, n->nv_name); + ep = extend(extra, sizeof(extra), ep, n->nv_name); } } if (nextra) { |