From 722f1b2b9f3ba12121d2d796fdd5db88fd5f5127 Mon Sep 17 00:00:00 2001 From: Ben Gras Date: Tue, 16 Jan 2007 14:50:10 +0000 Subject: [PATCH] . added checks for buffer sizes in sys_datacopy() functions in mfs, print debug message if copy is truncated . increased buffer in lookup() to be PATH_MAX instead of NAME_MAX . sanity check in fetch_name() in vfs to see if name fits, and is null-terminated . first check i < NAME_MAX, then string[i] in search_dir, as we're not supposed to look at string[NAME_MAX] --- servers/mfs/const.h | 2 ++ servers/mfs/link.c | 6 +++--- servers/mfs/open.c | 13 ++++++++----- servers/mfs/path.c | 10 ++++++---- servers/mfs/proto.h | 17 ----------------- servers/mfs/utility.c | 8 +++++++- servers/vfs/utility.c | 14 ++++++++++++++ 7 files changed, 40 insertions(+), 30 deletions(-) diff --git a/servers/mfs/const.h b/servers/mfs/const.h index e6b77e572..2fed5b48f 100644 --- a/servers/mfs/const.h +++ b/servers/mfs/const.h @@ -106,3 +106,5 @@ #define V2_INODE_SIZE usizeof (d2_inode) /* bytes in V2 dsk ino */ #define V2_INDIRECTS(b) ((b)/V2_ZONE_NUM_SIZE) /* # zones/indir block */ #define V2_INODES_PER_BLOCK(b) ((b)/V2_INODE_SIZE)/* # V2 dsk inodes/blk */ + +#define MFS_MIN(a,b) mfs_min_f(__FILE__,__LINE__,(a), (b)) diff --git a/servers/mfs/link.c b/servers/mfs/link.c index 155421ee7..141d94ba1 100644 --- a/servers/mfs/link.c +++ b/servers/mfs/link.c @@ -45,7 +45,7 @@ PUBLIC int fs_link() /* Copy the link name's last component */ r = sys_datacopy(FS_PROC_NR, (vir_bytes) fs_m_in.REQ_PATH, SELF, (vir_bytes) string, - (phys_bytes) fs_m_in.REQ_PATH_LEN); + (phys_bytes) MFS_MIN(fs_m_in.REQ_PATH_LEN, sizeof(string))); /* Temporarily open the file. */ if ( (rip = get_inode(fs_dev, fs_m_in.REQ_LINKED_FILE)) == NIL_INODE) { @@ -124,7 +124,7 @@ PUBLIC int fs_unlink() /* Copy the last component */ r = sys_datacopy(FS_PROC_NR, (vir_bytes) fs_m_in.REQ_PATH, SELF, (vir_bytes) string, - (phys_bytes) fs_m_in.REQ_PATH_LEN); + (phys_bytes) MFS_MIN(fs_m_in.REQ_PATH_LEN, sizeof(string))); if (r != OK) return r; @@ -305,7 +305,7 @@ PUBLIC int fs_rename() /* Copy the last component of the old name */ r = sys_datacopy(FS_PROC_NR, (vir_bytes) fs_m_in.REQ_PATH, SELF, (vir_bytes) old_name, - (phys_bytes) fs_m_in.REQ_PATH_LEN); + (phys_bytes) MFS_MIN(fs_m_in.REQ_PATH_LEN, sizeof(old_name))); if (r != OK) return r; /* Copy the last component of the new name */ diff --git a/servers/mfs/open.c b/servers/mfs/open.c index 77e92c3f9..a45d94c34 100644 --- a/servers/mfs/open.c +++ b/servers/mfs/open.c @@ -50,7 +50,9 @@ PUBLIC int fs_open() if (oflags & O_CREAT) { /* Copy the last component */ err_code = sys_datacopy(FS_PROC_NR, (vir_bytes) fs_m_in.REQ_PATH, - SELF, (vir_bytes) lastc, (phys_bytes) fs_m_in.REQ_PATH_LEN); + SELF, (vir_bytes) lastc, + (phys_bytes) MFS_MIN(fs_m_in.REQ_PATH_LEN, + sizeof(lastc))); if (err_code != OK) return err_code; @@ -164,7 +166,7 @@ PUBLIC int fs_create() /* Copy the last component */ err_code = sys_datacopy(FS_PROC_NR, (vir_bytes) fs_m_in.REQ_PATH, - SELF, (vir_bytes) lastc, (phys_bytes) fs_m_in.REQ_PATH_LEN); + SELF, (vir_bytes) lastc, (phys_bytes) MFS_MIN(fs_m_in.REQ_PATH_LEN, sizeof(lastc))); if (err_code != OK) return err_code; @@ -213,7 +215,8 @@ PUBLIC int fs_mknod() /* Copy the last component and set up caller's user and group id */ err_code = sys_datacopy(FS_PROC_NR, (vir_bytes) fs_m_in.REQ_PATH, SELF, - (vir_bytes) lastc, (phys_bytes) fs_m_in.REQ_PATH_LEN); + (vir_bytes) lastc, + (phys_bytes) MFS_MIN(fs_m_in.REQ_PATH_LEN, sizeof(lastc))); if (err_code != OK) return err_code; @@ -248,7 +251,7 @@ PUBLIC int fs_mkdir() /* Copy the last component and set up caller's user and group id */ err_code = sys_datacopy(FS_PROC_NR, (vir_bytes) fs_m_in.REQ_PATH, SELF, (vir_bytes) lastc, (phys_bytes) - MIN(fs_m_in.REQ_PATH_LEN, NAME_MAX)); + MFS_MIN(fs_m_in.REQ_PATH_LEN, sizeof(lastc))); if (err_code != OK) return err_code; @@ -323,7 +326,7 @@ PUBLIC int fs_slink() /* Copy the link name's last component */ r = sys_datacopy(FS_PROC_NR, (vir_bytes) fs_m_in.REQ_PATH, SELF, (vir_bytes) string, - (phys_bytes) fs_m_in.REQ_PATH_LEN); + (phys_bytes) MFS_MIN(fs_m_in.REQ_PATH_LEN, sizeof(string))); if (r != OK) return r; diff --git a/servers/mfs/path.c b/servers/mfs/path.c index 5c6f37e37..04e4e6104 100644 --- a/servers/mfs/path.c +++ b/servers/mfs/path.c @@ -34,7 +34,7 @@ FORWARD _PROTOTYPE( int ltraverse, (struct inode *rip, char *path, *===========================================================================*/ PUBLIC int lookup() { - char string[NAME_MAX]; + char string[PATH_MAX]; struct inode *rip; int s_error, flags; @@ -42,7 +42,8 @@ PUBLIC int lookup() /* Copy the pathname and set up caller's user and group id */ err_code = sys_datacopy(FS_PROC_NR, (vir_bytes) fs_m_in.REQ_PATH, SELF, - (vir_bytes) user_path, (phys_bytes) fs_m_in.REQ_PATH_LEN); + (vir_bytes) user_path, + (phys_bytes) MFS_MIN(fs_m_in.REQ_PATH_LEN, sizeof(string))); if (err_code != OK) return err_code; @@ -60,7 +61,7 @@ PUBLIC int lookup() if (err_code != OK || (flags & PATH_PENULTIMATE)) { s_error = sys_datacopy(SELF_E, (vir_bytes) string, FS_PROC_NR, (vir_bytes) fs_m_in.REQ_USER_ADDR, (phys_bytes) - MIN(strlen(string)+1, NAME_MAX)); + MFS_MIN(strlen(string)+1, NAME_MAX)); if (s_error != OK) return s_error; } @@ -622,7 +623,7 @@ int flag; /* LOOK_UP, ENTER, DELETE or IS_EMPTY */ /* 'bp' now points to a directory block with space. 'dp' points to slot. */ (void) memset(dp->d_name, 0, (size_t) NAME_MAX); /* clear entry */ - for (i = 0; string[i] && i < NAME_MAX; i++) dp->d_name[i] = string[i]; + for (i = 0; i < NAME_MAX && string[i]; i++) dp->d_name[i] = string[i]; sp = ldir_ptr->i_sp; dp->d_ino = conv4(sp->s_native, (int) *numb); bp->b_dirt = DIRTY; @@ -668,3 +669,4 @@ char string[NAME_MAX]; /* the final component is returned here */ return parse_path(path, string, LAST_DIR); } + diff --git a/servers/mfs/proto.h b/servers/mfs/proto.h index 54f071985..e83f36d39 100644 --- a/servers/mfs/proto.h +++ b/servers/mfs/proto.h @@ -193,20 +193,3 @@ _PROTOTYPE( struct buf *new_block, (struct inode *rip, off_t position) ); _PROTOTYPE( void zero_block, (struct buf *bp) ); _PROTOTYPE( int write_map, (struct inode *, off_t, zone_t, int) ); -/* select.c */ -_PROTOTYPE( int do_select, (void) ); -_PROTOTYPE( int select_callback, (struct filp *, int ops) ); -_PROTOTYPE( void select_forget, (int fproc) ); -_PROTOTYPE( void select_timeout_check, (timer_t *) ); -_PROTOTYPE( void init_select, (void) ); -_PROTOTYPE( void select_unsuspend_by_endpt, (int proc) ); -_PROTOTYPE( int select_notified, (int major, int minor, int ops) ); - -/* timers.c */ -_PROTOTYPE( void fs_set_timer, (timer_t *tp, int delta, tmr_func_t watchdog, int arg)); -_PROTOTYPE( void fs_expire_timers, (clock_t now) ); -_PROTOTYPE( void fs_cancel_timer, (timer_t *tp) ); -_PROTOTYPE( void fs_init_timer, (timer_t *tp) ); - -/* cdprobe.c */ -_PROTOTYPE( int cdprobe, (void) ); diff --git a/servers/mfs/utility.c b/servers/mfs/utility.c index b9995dc19..387d877ab 100644 --- a/servers/mfs/utility.c +++ b/servers/mfs/utility.c @@ -90,4 +90,10 @@ PUBLIC time_t clock_time() return( (time_t) (boottime + (uptime/HZ))); } - +int mfs_min_f(char *file, int line, int v1, int v2) +{ + if(v2 >= v1) return v1; + printf("mfs:%s:%d: truncated %d to %d\n", + file, line, v1, v2); + return v2; +} diff --git a/servers/vfs/utility.c b/servers/vfs/utility.c index a73442088..bbfb4a015 100644 --- a/servers/vfs/utility.c +++ b/servers/vfs/utility.c @@ -35,6 +35,10 @@ int flag; /* M3 means path may be in message */ register char *rpu, *rpm; int r; + if(len >= sizeof(user_fullpath)) { + panic(__FILE__, "fetch_name: len too much for user_fullpath", len); + } + /* Check name length for validity. */ if (len <= 0) { err_code = EINVAL; @@ -58,6 +62,16 @@ int flag; /* M3 means path may be in message */ FS_PROC_NR, (vir_bytes) user_fullpath, (phys_bytes) len); } + if(user_fullpath[len-1] != '\0') { + int i; + printf("fetch_name: name not null-terminated: "); + for(i = 0; i < len; i++) { + printf("%c", user_fullpath[i]); + } + printf("\n"); + user_fullpath[len-1] = '\0'; + } + return(r); } -- 2.44.0