From patchwork Tue Dec 13 22:51:04 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Chuck Lever X-Patchwork-Id: 131201 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from rcsinet15.oracle.com (rcsinet15.oracle.com [148.87.113.117]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "rcsinet15.oracle.com", Issuer "VeriSign Class 3 International Server CA - G3" (verified OK)) by ozlabs.org (Postfix) with ESMTPS id C29F71007D3 for ; Wed, 14 Dec 2011 09:51:21 +1100 (EST) Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238]) by rcsinet15.oracle.com (Switch-3.4.4/Switch-3.4.4) with ESMTP id pBDMpGju001993 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 13 Dec 2011 22:51:16 GMT Received: from oss.oracle.com (oss.oracle.com [141.146.12.120]) by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id pBDMpFsO000550 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 13 Dec 2011 22:51:15 GMT Received: from localhost ([127.0.0.1] helo=oss.oracle.com) by oss.oracle.com with esmtp (Exim 4.63) (envelope-from ) id 1RabBm-0005zQ-Hl; Tue, 13 Dec 2011 14:51:10 -0800 Received: from acsinet13.oracle.com ([141.146.126.235]) by oss.oracle.com with esmtp (Exim 4.63) (envelope-from ) id 1RabBk-0005zJ-UD for fedfs-utils-devel@oss.oracle.com; Tue, 13 Dec 2011 14:51:08 -0800 Received: from mail-vw0-f43.google.com (mail-vw0-f43.google.com [209.85.212.43]) by acsinet13.oracle.com (Switch-3.4.4/Switch-3.4.4) with ESMTP id pBDMp6lD022175 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=FAIL) for ; Tue, 13 Dec 2011 22:51:08 GMT Received: by vbbfq11 with SMTP id fq11so201700vbb.2 for ; Tue, 13 Dec 2011 14:51:06 -0800 (PST) Received: by 10.52.29.75 with SMTP id i11mr2564035vdh.23.1323816666611; Tue, 13 Dec 2011 14:51:06 -0800 (PST) Received: from degas.1015granger.net (adsl-99-26-161-222.dsl.sfldmi.sbcglobal.net. [99.26.161.222]) by mx.google.com with ESMTPS id i12sm518344vdj.14.2011.12.13.14.51.05 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 13 Dec 2011 14:51:05 -0800 (PST) From: Chuck Lever To: fedfs-utils-devel@oss.oracle.com Date: Tue, 13 Dec 2011 17:51:04 -0500 Message-ID: <20111213225104.15402.20779.stgit@degas.1015granger.net> In-Reply-To: <20111213224842.15402.340.stgit@degas.1015granger.net> References: <20111213224842.15402.340.stgit@degas.1015granger.net> User-Agent: StGIT/0.14.3 MIME-Version: 1.0 X-Flow-Control-Info: class=ISPs ip=209.85.212.43 ct-class=R6 ct-vol1=0 ct-vol2=0 ct-vol3=0 ct-risk=68 ct-spam1=0 ct-spam2=0 ct-bulk=0 rcpts=1 size=2252 Subject: [fedfs-utils] [PATCH 01/12] libnsdb: do not read beyond end of malloc'd buffer; do NUL-terminate X-BeenThere: fedfs-utils-devel@oss.oracle.com X-Mailman-Version: 2.1.9 Precedence: list Reply-To: fedfs-utils Developers List-Id: fedfs-utils Developers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: fedfs-utils-devel-bounces@oss.oracle.com Errors-To: fedfs-utils-devel-bounces@oss.oracle.com X-Source-IP: acsinet22.oracle.com [141.146.126.238] X-CT-RefId: str=0001.0A090205.4EE7D6E5.0069:SCFSTAT1119972, ss=1, re=-4.000, fgs=0 X-Auth-Type: Internal IP From: Jim Meyering nsdb_sanitize_annotation backslash-escapes its input string into malloc'd storage. Worst case is that is has to escape every input byte. That means allocating 2*N bytes for the actual data, and one more for the trailing NUL byte. That last byte was not allocated. At first, I thought there must be a buffer overrun. But no, because there was a second problem: the trailing NUL byte was never written. If it worked it all, it worked by accident, because the unused part of the malloc'd buffer happened to be zero-filled. * src/libnsdb/annotation.c (nsdb_sanitize_annotation): Correct two problems: 1) allocated too little memory, by one byte 2) did not NUL-terminate the output buffer Callers thinking they have a NUL-terminated string would segfault if there happened to be many non-NUL bytes after the sanitized string. Found by inspection. Introduced by commit 0520ee72: "Initial commit," (March 29, 2011). Signed-off-by: Jim Meyering Signed-off-by: Chuck Lever --- src/libnsdb/annotation.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) diff --git a/src/libnsdb/annotation.c b/src/libnsdb/annotation.c index 2447275..6444122 100644 --- a/src/libnsdb/annotation.c +++ b/src/libnsdb/annotation.c @@ -101,7 +101,7 @@ * Check for UTF-8 cleanliness and provide proper escaping * * @param in NUL-terminated C string containing string to sanitize - * @param out OUT: dynamically allocated C string containing cleansed string + * @param out OUT: NUL-terminated C string containing cleansed value * @return a FedFsStatus code * * Caller must free "out" with free(3) @@ -114,7 +114,7 @@ nsdb_sanitize_annotation(const char *in, char **out) /* Assume worst case: every input character must be escaped */ len = strlen(in); - result = malloc(len * 2); + result = malloc(len * 2 + 1); if (result == NULL) { xlog(D_GENERAL, "%s: Failed to allocate output buffer", __func__); @@ -128,6 +128,7 @@ nsdb_sanitize_annotation(const char *in, char **out) result[j++] = in[i]; } + result[j] = '\0'; *out = result; xlog(D_CALL, "%s: out_len = %zu, out = \"%s\"",