Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
getmntent: fix memory corruption w/blank lines [BZ #18887]
The fix for BZ #17273 introduced a single byte of memory corruption when
the line is entirely blank.  It would walk back past the start of the
buffer if the heap happened to be 0x20 or 0x09 and then write a NUL byte.
	buffer = '\n';
	end_ptr = buffer;
	while (end_ptr[-1] == ' ' || end_ptr[-1] == '\t')
		end_ptr--;
	*end_ptr = '\0';

Fix that and rework the tests.  Adding the testcase for BZ #17273 to the
existing \040 parser does not really make sense as it's unrelated, and
leads to confusing behavior: it implicitly relies on the new entry being
longer than the previous entry (since it just rewinds the FILE*).  Split
it out into its own dedicated testcase instead.
  • Loading branch information
Mike Frysinger committed Aug 29, 2015
1 parent 30da407 commit b0e805f
Show file tree
Hide file tree
Showing 6 changed files with 113 additions and 22 deletions.
10 changes: 10 additions & 0 deletions ChangeLog
@@ -1,3 +1,13 @@
2015-08-28 Mike Frysinger <vapier@gentoo.org>

[BZ #18887]
* misc/Makefile (tests): Add tst-mntent-blank-corrupt and
tst-mntent-blank-passno.
* misc/mntent_r.c (__getmntent_r): Do not read past buffer[0].
* misc/tst-mntent-blank-corrupt.c: New test.
* misc/tst-mntent-blank-passno.c: New test ripped from ...
* misc/tst-mntent.c (do_test): ... here.

2015-08-29 Mike Frysinger <vapier@gentoo.org>

[BZ #4404]
Expand Down
3 changes: 2 additions & 1 deletion misc/Makefile
Expand Up @@ -76,7 +76,8 @@ install-lib := libg.a
gpl2lgpl := error.c error.h

tests := tst-dirname tst-tsearch tst-fdset tst-efgcvt tst-mntent tst-hsearch \
tst-error1 tst-pselect tst-insremque tst-mntent2 bug-hsearch1
tst-error1 tst-pselect tst-insremque tst-mntent2 bug-hsearch1 \
tst-mntent-blank-corrupt tst-mntent-blank-passno
ifeq ($(run-built-tests),yes)
tests-special += $(objpfx)tst-error1-mem.out
endif
Expand Down
4 changes: 3 additions & 1 deletion misc/mntent_r.c
Expand Up @@ -136,7 +136,9 @@ __getmntent_r (FILE *stream, struct mntent *mp, char *buffer, int bufsiz)
end_ptr = strchr (buffer, '\n');
if (end_ptr != NULL) /* chop newline */
{
while (end_ptr[-1] == ' ' || end_ptr[-1] == '\t')
/* Do not walk past the start of buffer if it's all whitespace. */
while (end_ptr != buffer
&& (end_ptr[-1] == ' ' || end_ptr[-1] == '\t'))
end_ptr--;
*end_ptr = '\0';
}
Expand Down
45 changes: 45 additions & 0 deletions misc/tst-mntent-blank-corrupt.c
@@ -0,0 +1,45 @@
/* Make sure blank lines does not cause memory corruption BZ #18887.
Copyright (C) 2009-2015 Free Software Foundation, Inc.
This file is part of the GNU C Library.
The GNU C Library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either
version 2.1 of the License, or (at your option) any later version.
The GNU C Library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public
License along with the GNU C Library; if not, see
<http://www.gnu.org/licenses/>. */

#include <mntent.h>
#include <stdio.h>
#include <string.h>

/* Make sure blank lines don't trigger memory corruption. This doesn't happen
for all targets though, so it's a best effort test BZ #18887. */
static int
do_test (void)
{
FILE *fp;

fp = tmpfile ();
fputs ("\n \n/foo\\040dir /bar\\040dir auto bind \t \n", fp);
rewind (fp);

/* The corruption happens here ... */
getmntent (fp);
/* ... but trigers here. */
endmntent (fp);

/* If the test failed, we would crash, and not hit this point. */
return 0;
}

#define TEST_FUNCTION do_test ()
#include "../test-skeleton.c"
53 changes: 53 additions & 0 deletions misc/tst-mntent-blank-passno.c
@@ -0,0 +1,53 @@
/* Make sure trailing whitespace is handled properly BZ #17273.
Copyright (C) 2009-2015 Free Software Foundation, Inc.
This file is part of the GNU C Library.
The GNU C Library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either
version 2.1 of the License, or (at your option) any later version.
The GNU C Library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public
License along with the GNU C Library; if not, see
<http://www.gnu.org/licenses/>. */

#include <mntent.h>
#include <stdio.h>
#include <string.h>

/* Check entries to make sure trailing whitespace is ignored and we return the
correct passno value BZ #17273. */
static int
do_test (void)
{
int result = 0;
FILE *fp;
struct mntent *mnt;

fp = tmpfile ();
fputs ("/foo\\040dir /bar\\040dir auto bind \t \n", fp);
rewind (fp);

mnt = getmntent (fp);
if (strcmp (mnt->mnt_fsname, "/foo dir") != 0
|| strcmp (mnt->mnt_dir, "/bar dir") != 0
|| strcmp (mnt->mnt_type, "auto") != 0
|| strcmp (mnt->mnt_opts, "bind") != 0
|| mnt->mnt_freq != 0
|| mnt->mnt_passno != 0)
{
puts ("Error while reading entry with trailing whitespaces");
result = 1;
}

return result;
}

#define TEST_FUNCTION do_test ()
#include "../test-skeleton.c"
20 changes: 0 additions & 20 deletions misc/tst-mntent.c
Expand Up @@ -73,26 +73,6 @@ do_test (void)
puts ("Error while reading written entry back in");
result = 1;
}

/* Part III: Entry with whitespaces at the end of a line. */
rewind (fp);

fputs ("/foo\\040dir /bar\\040dir auto bind \t \n", fp);

rewind (fp);

mnt = getmntent (fp);

if (strcmp (mnt->mnt_fsname, "/foo dir") != 0
|| strcmp (mnt->mnt_dir, "/bar dir") != 0
|| strcmp (mnt->mnt_type, "auto") != 0
|| strcmp (mnt->mnt_opts, "bind") != 0
|| mnt->mnt_freq != 0
|| mnt->mnt_passno != 0)
{
puts ("Error while reading entry with trailing whitespaces");
result = 1;
}
}

return result;
Expand Down

0 comments on commit b0e805f

Please sign in to comment.