From patchwork Thu Dec 1 15:58:26 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jim Meyering X-Patchwork-Id: 128717 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from acsinet15.oracle.com (acsinet15.oracle.com [141.146.126.227]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "acsinet15.oracle.com", Issuer "VeriSign Class 3 International Server CA - G3" (verified OK)) by ozlabs.org (Postfix) with ESMTPS id 7FA49B6F7B for ; Fri, 2 Dec 2011 02:58:49 +1100 (EST) Received: from ucsinet22.oracle.com (ucsinet22.oracle.com [156.151.31.94]) by acsinet15.oracle.com (Switch-3.4.4/Switch-3.4.4) with ESMTP id pB1Fwhse004308 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 1 Dec 2011 15:58:44 GMT Received: from oss.oracle.com (oss.oracle.com [141.146.12.120]) by ucsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id pB1FwgJK004342 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 1 Dec 2011 15:58:43 GMT Received: from localhost ([127.0.0.1] helo=oss.oracle.com) by oss.oracle.com with esmtp (Exim 4.63) (envelope-from ) id 1RW91x-0006KB-Ea; Thu, 01 Dec 2011 07:58:37 -0800 Received: from acsinet12.oracle.com ([141.146.126.234]) by oss.oracle.com with esmtp (Exim 4.63) (envelope-from ) id 1RW91v-0006J0-Lg for fedfs-utils-devel@oss.oracle.com; Thu, 01 Dec 2011 07:58:35 -0800 Received: from mx.meyering.net (mx.meyering.net [88.168.87.75]) by acsinet12.oracle.com (Switch-3.4.4/Switch-3.4.4) with ESMTP id pB1FwX7i031549 for ; Thu, 1 Dec 2011 15:58:35 GMT Received: by rho.meyering.net (Acme Bit-Twister, from userid 1000) id EA123603A7; Thu, 1 Dec 2011 16:58:30 +0100 (CET) From: Jim Meyering To: fedfs-utils-devel@oss.oracle.com Date: Thu, 1 Dec 2011 16:58:26 +0100 Message-Id: <1322755106-8171-10-git-send-email-jim@meyering.net> X-Mailer: git-send-email 1.7.7.3 In-Reply-To: <1322755106-8171-1-git-send-email-jim@meyering.net> References: <1322755106-8171-1-git-send-email-jim@meyering.net> X-Flow-Control-Info: class=Default ip=88.168.87.75 ct-class=T1 ct-vol1=0 ct-vol2=0 ct-vol3=1 ct-risk=49 ct-spam1=0 ct-spam2=0 ct-bulk=0 rcpts=1 size=1806 Subject: [fedfs-utils] [PATCH 9/9] libnsdb: do not read beyond end of malloc'd buffer; do NUL-terminate X-BeenThere: fedfs-utils-devel@oss.oracle.com X-Mailman-Version: 2.1.9 Precedence: list Reply-To: fedfs-utils Developers List-Id: fedfs-utils Developers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: fedfs-utils-devel-bounces@oss.oracle.com Errors-To: fedfs-utils-devel-bounces@oss.oracle.com X-Source-IP: ucsinet22.oracle.com [156.151.31.94] X-CT-RefId: str=0001.0A090202.4ED7A434.00CD:SCFSTAT3865452, ss=1, re=-4.000, fgs=0 From: Jim Meyering nsdb_sanitize_annotation backslash-escapes its input string into malloc'd storage. Worst case is that is has to escape every input byte. That means allocating 2*N bytes for the actual data, and one more for the trailing NUL byte. That last byte was not allocated. At first, I thought there must be a buffer overrun. But no, because there was a second problem: the trailing NUL byte was never written. If it worked it all, it worked by accident, because the unused part of the malloc'd buffer happened to be zero-filled. * src/libnsdb/annotation.c (nsdb_sanitize_annotation): Correct two problems: 1) allocated too little memory, by one byte 2) did not NUL-terminate the output buffer Callers thinking they have a NUL-terminated string would segfault if there happened to be many non-NUL bytes after the sanitized string. Found by inspection. Signed-off-by: Jim Meyering --- src/libnsdb/annotation.c | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) diff --git a/src/libnsdb/annotation.c b/src/libnsdb/annotation.c index 2447275..f54500f 100644 --- a/src/libnsdb/annotation.c +++ b/src/libnsdb/annotation.c @@ -114,7 +114,7 @@ nsdb_sanitize_annotation(const char *in, char **out) /* Assume worst case: every input character must be escaped */ len = strlen(in); - result = malloc(len * 2); + result = malloc(len * 2 + 1); if (result == NULL) { xlog(D_GENERAL, "%s: Failed to allocate output buffer", __func__); @@ -129,6 +129,9 @@ nsdb_sanitize_annotation(const char *in, char **out) result[j++] = in[i]; } + /* NUL-terminate */ + result[j] = 0; + *out = result; xlog(D_CALL, "%s: out_len = %zu, out = \"%s\"", __func__, j, result);