Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/usr.sbin/pkg_install/add Fix a buffer overrun bug. The TOOB...



details:   https://anonhg.NetBSD.org/src/rev/b4cc83bbe000
branches:  trunk
changeset: 495246:b4cc83bbe000
user:      dmcmahill <dmcmahill%NetBSD.org@localhost>
date:      Mon Jul 24 20:09:15 2000 +0000

description:
Fix a buffer overrun bug.  The TOOBIG macro had some hard coded constants
which needed to be set at compile time but weren't (to handle the case where
TAR_CMD was set to something other than "tar", eg "gtar".  In addition to
the constants being wrong, the wrong directory name was being examined for
its string length.

Add a few comments to hopefully avoid having this problem come back.

diffstat:

 usr.sbin/pkg_install/add/extract.c |  46 +++++++++++++++++++++++++++----------
 1 files changed, 33 insertions(+), 13 deletions(-)

diffs (105 lines):

diff -r 99a2deff572b -r b4cc83bbe000 usr.sbin/pkg_install/add/extract.c
--- a/usr.sbin/pkg_install/add/extract.c        Mon Jul 24 18:43:16 2000 +0000
+++ b/usr.sbin/pkg_install/add/extract.c        Mon Jul 24 20:09:15 2000 +0000
@@ -1,11 +1,11 @@
-/*     $NetBSD: extract.c,v 1.21 2000/06/16 23:49:17 sjg Exp $ */
+/*     $NetBSD: extract.c,v 1.22 2000/07/24 20:09:15 dmcmahill Exp $   */
 
 #include <sys/cdefs.h>
 #ifndef lint
 #if 0
 static const char *rcsid = "FreeBSD - Id: extract.c,v 1.17 1997/10/08 07:45:35 charnier Exp";
 #else
-__RCSID("$NetBSD: extract.c,v 1.21 2000/06/16 23:49:17 sjg Exp $");
+__RCSID("$NetBSD: extract.c,v 1.22 2000/07/24 20:09:15 dmcmahill Exp $");
 #endif
 #endif
 
@@ -34,15 +34,24 @@
 #include "add.h"
 
 #define TAR_ARGS       " cf - "
+#define TARX_CMD       "|" TAR_CMD " xf - -C "
 
-#define TOOBIG(str) ((strlen(str) + 22 + strlen(home) + where_count > maxargs) \
-               || (strlen(str) + 6 + strlen(home) + perm_count > maxargs))
+/* 
+ * This macro is used to determine if the 'where_args'  buffer is big enough to add the
+ * current string (usually a filename) plus some extra commands (the contents of TARX_CMD, and
+ * the directory name stored in 'Directory').
+ * 
+ * The string " 'str'" will be added so we need room for the string plus 3 chars plus the other arguments.
+ * 
+ * In addition, we will add " 'srt'" to the perm_args buffer so we need to ensure that there is room
+ * for that.
+ */
+#define TOOBIG(str) ((strlen(str) + 3 + strlen(TARX_CMD) + strlen(Directory) + where_count  >= maxargs) \
+               || (strlen(str) + 3 + perm_count >= maxargs))
 
 #define PUSHOUT(todir) /* push out string */                           \
         if (where_count > sizeof(TAR_CMD) + sizeof(TAR_ARGS)-1) {      \
-                   strcat(where_args, "|");                            \
-                   strcat(where_args, TAR_CMD);                        \
-                   strcat(where_args, " xf - -C ");                    \
+                   strcat(where_args, TARX_CMD);                       \
                    strcat(where_args, todir);                          \
                    if (system(where_args)) {                           \
                        cleanup(0);                                     \
@@ -50,9 +59,8 @@
                                (u_long)strlen(where_args), TAR_CMD,    \
                                where_args);                            \
                    }                                                   \
-                   strcpy(where_args, TAR_CMD);                        \
-                   strcat(where_args, TAR_ARGS);                       \
-                   where_count = sizeof(TAR_CMD) + sizeof(TAR_ARGS)-2; \
+                   strcpy(where_args, TAR_CMD TAR_ARGS);               \
+                   where_count = strlen(where_args);                   \
        }                                                               \
        if (perm_count) {                                               \
                    apply_perms(todir, perm_args);                      \
@@ -110,10 +118,19 @@
                cleanup(0);
                errx(2, "can't get argument list space");
        }
-       strcpy(where_args, TAR_CMD);
-       strcat(where_args, TAR_ARGS);
-       where_count = sizeof(TAR_CMD) + sizeof(TAR_ARGS) - 2;
+       strcpy(where_args, TAR_CMD TAR_ARGS);
+       /*
+        * we keep track of how many characters are stored in 'where_args' with 'where_count'.
+        * Note this doesn't include the trailing null character.
+        */
+       where_count = strlen(where_args);
+
        perm_args[0] = 0;
+       /*
+        * we keep track of how many characters are stored in 'perm__args' with 'perm_count'.
+        * Note this doesn't include the trailing null character.
+        */
+       perm_count = 0;
 
        last_chdir = 0;
        preserve = find_plist_option(pkg, "preserve") ? TRUE : FALSE;
@@ -198,6 +215,7 @@
                                        if (p->name[0] == '/' || TOOBIG(p->name)) {
                                                PUSHOUT(Directory);
                                        }
+                                       /* note, if the following line is modified, TOOBIG must be adjusted accordingly */
                                        add_count = snprintf(&perm_args[perm_count], maxargs - perm_count, "'%s' ", p->name);
                                        if (add_count > maxargs - perm_count) {
                                                cleanup(0);
@@ -212,12 +230,14 @@
                                        } else if (p->name[0] == '/' || TOOBIG(p->name)) {
                                                PUSHOUT(Directory);
                                        }
+                                       /* note, if the following line is modified, TOOBIG must be adjusted accordingly */
                                        add_count = snprintf(&where_args[where_count], maxargs - where_count, " '%s'", p->name);
                                        if (add_count > maxargs - where_count) {
                                                cleanup(0);
                                                errx(2, "oops, miscounted strings!");
                                        }
                                        where_count += add_count;
+                                       /* note, if the following line is modified, TOOBIG must be adjusted accordingly */
                                        add_count = snprintf(&perm_args[perm_count],
                                            maxargs - perm_count,
                                            "'%s' ", p->name);



Home | Main Index | Thread Index | Old Index