RS: fix bug that overflows r_argv[]

	. reported and debugged by Arne Welzel
	. problem is if there are too many args
	. there is a check, but then unconditional NULL termination

diff --git a/servers/rs/manager.c b/servers/rs/manager.c
index 5efc25904d6f1c8b21508003ec90a406520bd0e5..7f0c57ee8ce9e919ca2d0908109b969f764da1e6 100644 (file)
--- a/servers/rs/manager.c
+++ b/servers/rs/manager.c
@@ -181,11 +181,17 @@ PUBLIC void build_cmd_dep(struct rproc *rp)
           *cmd_ptr = '\0';                     /* terminate previous */
          while (*++cmd_ptr == ' ') ;           /* skip spaces */
          if (*cmd_ptr == '\0') break;          /* no arg following */
-         if (arg_count>MAX_NR_ARGS+1) break;   /* arg vector full */
+         /* There are ARGV_ELEMENTS elements; must leave one for null */
+         if (arg_count>=ARGV_ELEMENTS-1) {     /* arg vector full */
+               printf("RS: build_cmd_dep: too many args\n");
+               break;
+         }
+         assert(arg_count < ARGV_ELEMENTS);
           rp->r_argv[arg_count++] = cmd_ptr;   /* add to arg vector */
       }
       cmd_ptr ++;                              /* continue parsing */
   }
+  assert(arg_count < ARGV_ELEMENTS);
   rp->r_argv[arg_count] = NULL;                        /* end with NULL pointer */
   rp->r_argc = arg_count;
   

diff --git a/servers/rs/type.h b/servers/rs/type.h
index 8deb541e1a5d66661fde18eadbc6a34c20d69aad..378f26198f1c2cf7ec4a384f71f0daf9e58c9df3 100644 (file)
--- a/servers/rs/type.h
+++ b/servers/rs/type.h
@@ -50,7 +50,8 @@ struct rproc {
 
   char r_cmd[MAX_COMMAND_LEN]; /* raw command plus arguments */
   char r_args[MAX_COMMAND_LEN];        /* null-separated raw command plus arguments */
-  char *r_argv[MAX_NR_ARGS+2];  /* parsed arguments vector */
+#define ARGV_ELEMENTS (MAX_NR_ARGS+2) /* path, args, null */
+  char *r_argv[ARGV_ELEMENTS];
   int r_argc;                          /* number of arguments */
   char r_script[MAX_SCRIPT_LEN]; /* name of the restart script executable */