config

Kyle Evans Tue, 07 Apr 2020 07:15:29 -0700

Author: kevans
Date: Tue Apr  7 14:14:59 2020
New Revision: 359689
URL: https://svnweb.freebsd.org/changeset/base/359689


Log:
  config(8): "fix" a couple of buffer overflows
  
  Recently added/changed lines in various kernel configs have caused some
  buffer overflows that went undetected. These were detected with a config
  built using -fno-common as these line buffers smashed one of our arrays,
  then further triaged with ASAN.
  
  Double the sizes; this is really not a great fix, but addresses the
  immediate need until someone rewrites config. While here, add some bounds
  checking so that we don't need to detect this by random bus errors or other
  weird failures.
  
  MFC after:    3 days

Modified:
  head/usr.sbin/config/main.c

Modified: head/usr.sbin/config/main.c
==============================================================================
--- head/usr.sbin/config/main.c Tue Apr  7 12:57:50 2020        (r359688)
+++ head/usr.sbin/config/main.c Tue Apr  7 14:14:59 2020        (r359689)
@@ -322,7 +322,7 @@ usage(void)
 char *
 get_word(FILE *fp)
 {
-       static char line[80];
+       static char line[160];
        int ch;
        char *cp;
        int escaped_nl = 0;
@@ -352,11 +352,17 @@ begin:
                *cp = 0;
                return (line);
        }
-       while ((ch = getc(fp)) != EOF) {
+       while ((ch = getc(fp)) != EOF && cp < line + sizeof(line)) {
                if (isspace(ch))
                        break;
                *cp++ = ch;
        }
+       if (cp >= line + sizeof(line)) {
+               line[sizeof(line) - 1] = '\0';
+               fprintf(stderr, "config: attempted overflow, partial line: 
`%s'",
+                   line);
+               exit(2);
+       }
        *cp = 0;
        if (ch == EOF)
                return ((char *)EOF);
@@ -372,7 +378,7 @@ begin:
 char *
 get_quoted_word(FILE *fp)
 {
-       static char line[256];
+       static char line[512];
        int ch;
        char *cp;
        int escaped_nl = 0;
@@ -415,15 +421,29 @@ begin:
                        }
                        if (ch != quote && escaped_nl)
                                *cp++ = '\\';
+                       if (cp >= line + sizeof(line)) {
+                               line[sizeof(line) - 1] = '\0';
+                               printf(
+                                   "config: line buffer overflow reading 
partial line `%s'\n",
+                                   line);
+                               exit(2);
+                       }
                        *cp++ = ch;
                        escaped_nl = 0;
                }
        } else {
                *cp++ = ch;
-               while ((ch = getc(fp)) != EOF) {
+               while ((ch = getc(fp)) != EOF && cp < line + sizeof(line)) {
                        if (isspace(ch))
                                break;
                        *cp++ = ch;
+               }
+               if (cp >= line + sizeof(line)) {
+                       line[sizeof(line) - 1] = '\0';
+                       printf(
+                           "config: line buffer overflow reading partial line 
`%s'\n",
+                           line);
+                       exit(2);
                }
                if (ch != EOF)
                        (void) ungetc(ch, fp);
_______________________________________________
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"

svn commit: r359689 - head/usr.sbin/config

Reply via email to