summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorkay.sievers@vrfy.org <kay.sievers@vrfy.org>2004-01-28 19:00:51 -0800
committerGreg KH <gregkh@suse.de>2005-04-26 21:13:20 -0700
commit8a08e4b1906eef5d5cb585b125612cce8d565e5c (patch)
treeef577b437aa6c98efd7b2795ff271553cb49f8d2
parentbc59f0167a03be2d2e4cf8a680dda8444243c64f (diff)
[PATCH] fix possible buffer overflow
On Tue, Jan 27, 2004 at 11:02:25AM -0800, Greg KH wrote: > On Mon, Jan 26, 2004 at 07:28:03PM -0500, Adrian Drzewiecki wrote: > > Looking over the code, I noticed something odd in > > namedev.c:strcmp_pattern() -- > > > > while (*p && (*p != ']')) > > p ++; > > return strcmp_pattern(p+1, s+1); > > > > If the pattern string is invalid, and is not terminated by a ']', then 'p' > > will point at \0 and p+1 will be beyond the string. > > Yes, I think you are correct. > > Hm, Kay, any idea of the proper way to fix this? I've attached a patch > below, but I don't think it is correct. > > while (*p && (*p != ']')) > p++; > - return strcmp_pattern(p+1, s+1); > + if (*p) > + return strcmp_pattern(p+1, s+1); > + else > + return 1; > } > } Sure, it's perfectly correct. I'm wondering how Adrian found this. We can use the return 1 at the end of the whole function, and asking for the closing ']' is more descriptive, but it does the same. - return strcmp_pattern(p+1, s+1); + if (*p == ']') + return strcmp_pattern(p+1, s+1); Patch is attached, that also replaces all the *s with s[0].
-rw-r--r--namedev.c25
1 files changed, 13 insertions, 12 deletions
diff --git a/namedev.c b/namedev.c
index de7f7c1b88..6685596479 100644
--- a/namedev.c
+++ b/namedev.c
@@ -47,34 +47,35 @@ LIST_HEAD(perm_device_list);
/* compare string with pattern (supports * ? [0-9] [!A-Z]) */
static int strcmp_pattern(const char *p, const char *s)
{
- if (*s == '\0') {
- while (*p == '*')
+ if (s[0] == '\0') {
+ while (p[0] == '*')
p++;
- return (*p != '\0');
+ return (p[0] != '\0');
}
- switch (*p) {
+ switch (p[0]) {
case '[':
{
int not = 0;
p++;
- if (*p == '!') {
+ if (p[0] == '!') {
not = 1;
p++;
}
- while (*p && (*p != ']')) {
+ while ((p[0] != '\0') && (p[0] != ']')) {
int match = 0;
if (p[1] == '-') {
- if ((*s >= *p) && (*s <= p[2]))
+ if ((s[0] >= p[0]) && (s[0] <= p[2]))
match = 1;
p += 3;
} else {
- match = (*p == *s);
+ match = (p[0] == s[0]);
p++;
}
if (match ^ not) {
- while (*p && (*p != ']'))
+ while ((p[0] != '\0') && (p[0] != ']'))
p++;
- return strcmp_pattern(p+1, s+1);
+ if (p[0] == ']')
+ return strcmp_pattern(p+1, s+1);
}
}
}
@@ -84,12 +85,12 @@ static int strcmp_pattern(const char *p, const char *s)
return strcmp_pattern(p+1, s);
return 0;
case '\0':
- if (*s == '\0') {
+ if (s[0] == '\0') {
return 0;
}
break;
default:
- if ((*p == *s) || (*p == '?'))
+ if ((p[0] == s[0]) || (p[0] == '?'))
return strcmp_pattern(p+1, s+1);
break;
}