[PATCH] udev - read long lines from config files overflow fix

Hi Kay,

On 23:12 Sat 04 Sep     , Kay Sievers wrote:
> Cool, a real bug :)
> Thanks, for the patch. I think it would be better to skip lenghth exceeding
> lines instead of cutting it and continue. While looking at it I restructured
> the buffer reading logic a bit and fixed another stupid bug.
Thanks for the cleanup.

You may have overlooked the fix for udev_config.c(parsing udev.conf) in
your patch.  So, I've adapted the fixes you applied to namedev_parse.c
to this file also.

Also, while 'eating' the whitespace the 'count' doesn't get decremented.
This leads strncpy to copy the number of whitespace minus 1 characters
from the next line. Minus 1 because it copies '\n' from the current
line.

		while (isspace(bufline[0])) {
			bufline++;
+			count--;
		}
		.
		.
		.
		strncpy(line, bufline, count);

Included patch(against udev-030) contains the above fixes as well as
your fixes.


Signed-off-by: Arun Bhanu <arun@codemovers.org>

1 files changed, 9 insertions, 8 deletions

diff --git a/klibc_fixups.c b/klibc_fixups.c
index bbacfbdc75..d1a452a449 100644
--- a/klibc_fixups.c
+++ b/klibc_fixups.c
@@ -41,8 +41,9 @@
 static unsigned long get_id_by_name(const char *uname, const char *dbfile)
 {
 	unsigned long id = -1;
-	char line[255];
+	char line[LINE_SIZE];
 	char *buf;
+	char *bufline;
 	size_t bufsize;
 	size_t cur;
 	size_t count;
@@ -59,19 +60,19 @@ static unsigned long get_id_by_name(const char *uname, const char *dbfile)
 	}
 
 	/* loop through the whole file */
-
 	cur = 0;
-	while (1) {
+	while (cur < bufsize) {
 		count = buf_get_line(buf, bufsize, cur);
+		bufline = &buf[cur];
+		cur += count+1;
+
+		if (count >= LINE_SIZE)
+			continue;
 
-		strncpy(line, buf + cur, count);
+		strncpy(line, bufline, count);
 		line[count] = '\0';
 		pos = line;
 
-		cur += count+1;
-		if (cur > bufsize)
-			break;
-
 		/* get name */
 		name = strsep(&pos, ":");
 		if (name == NULL)