From: David van Moolenbroek Date: Sun, 10 May 2009 16:54:37 +0000 (+0000) Subject: potential buffer overruns in env_* routines X-Git-Tag: v3.1.4~49 X-Git-Url: http://zhaoyanbai.com/repos/README?a=commitdiff_plain;h=a2485b346cb78e7c69e1b8d5ee9b83011b6c3713;p=minix.git potential buffer overruns in env_* routines --- diff --git a/lib/sysutil/env_get_prm.c b/lib/sysutil/env_get_prm.c index cad5aead0..c69cdf52c 100644 --- a/lib/sysutil/env_get_prm.c +++ b/lib/sysutil/env_get_prm.c @@ -44,7 +44,7 @@ int max_len; /* maximum length of value */ if (argv[i][keylen] != '=') continue; key_value= argv[i]+keylen+1; - if (strlen(key_value)+1 > EP_BUF_SIZE) + if (strlen(key_value)+1 > max_len) return(E2BIG); strcpy(value, key_value); return OK; @@ -65,11 +65,14 @@ int max_len; /* maximum length of value */ if ((key_value = find_key(mon_params, key)) == NULL) return(ESRCH); - /* Value found, make the actual copy (as far as possible). */ - strncpy(value, key_value, max_len); - - /* See if it fits in the client's buffer. */ + /* Value found, see if it fits in the client's buffer. Callers assume that + * their buffer is unchanged on error, so don't make a partial copy. + */ if ((strlen(key_value)+1) > max_len) return(E2BIG); + + /* Make the actual copy. */ + strcpy(value, key_value); + return(OK); } diff --git a/lib/sysutil/env_panic.c b/lib/sysutil/env_panic.c index eb2aa11cb..9d724feec 100644 --- a/lib/sysutil/env_panic.c +++ b/lib/sysutil/env_panic.c @@ -11,7 +11,7 @@ char *key; /* environment variable whose value is bogus */ int s; if ((s=env_get_param(key, value, sizeof(value))) == 0) { if (s != ESRCH) /* only error allowed */ - printf("WARNING: get_mon_param() failed in env_panic(): %d\n", s); + printf("WARNING: env_get_param() failed in env_panic(): %d\n", s); } printf("Bad environment setting: '%s = %s'\n", key, value); panic("","", NO_NUM); diff --git a/lib/sysutil/env_parse.c b/lib/sysutil/env_parse.c index c20d5126f..a6c767a9e 100644 --- a/lib/sysutil/env_parse.c +++ b/lib/sysutil/env_parse.c @@ -34,7 +34,7 @@ long min, max; /* minimum and maximum values for the parameter */ if ((s=env_get_param(env, value, sizeof(value))) != 0) { if (s == ESRCH) return(EP_UNSET); /* only error allowed */ - printf("WARNING: get_mon_param() failed in env_parse(): %d\n",s); + printf("WARNING: env_get_param() failed in env_parse(): %d\n",s); return(EP_EGETKENV); } val = value; diff --git a/lib/sysutil/env_prefix.c b/lib/sysutil/env_prefix.c index b569f7ddb..b76232aab 100644 --- a/lib/sysutil/env_prefix.c +++ b/lib/sysutil/env_prefix.c @@ -19,11 +19,11 @@ char *prefix; /* prefix to test for */ if ((s = env_get_param(env, value, sizeof(value))) != 0) { if (s != ESRCH) /* only error allowed */ - printf("WARNING: get_mon_param() failed in env_prefix(): %d\n", s); + printf("WARNING: env_get_param() failed in env_prefix(): %d\n", s); + return FALSE; } n = strlen(prefix); - return(value != NULL - && strncmp(value, prefix, n) == 0 + return(strncmp(value, prefix, n) == 0 && strchr(punct, value[n]) != NULL); }