@@ -68,6 +68,7 @@ __private void uci_getln(struct uci_context *ctx, size_t offset)
return;
ofs += strlen(p);
+ pctx->buf_filled = ofs;
if (pctx->buf[ofs - 1] == '\n') {
pctx->line++;
return;
@@ -125,6 +126,15 @@ static inline void addc(struct uci_context *ctx, size_t *pos_dest, size_t *pos_s
*pos_src += 1;
}
+static int uci_increase_pos(struct uci_parse_context *pctx, size_t add)
+{
+ if (pctx->pos + add > pctx->buf_filled)
+ return -EINVAL;
+
+ pctx->pos += add;
+ return 0;
+}
+
/*
* parse a double quoted string argument from the command line
*/
@@ -389,7 +399,8 @@ static void uci_parse_package(struct uci_context *ctx, bool single)
char *name;
/* command string null-terminated by strtok */
- pctx->pos += strlen(pctx_cur_str(pctx)) + 1;
+ if (uci_increase_pos(pctx, strlen(pctx_cur_str(pctx) + 1)))
+ return;
ofs_name = next_arg(ctx, true, true, true);
assert_eol(ctx);
@@ -421,7 +432,8 @@ static void uci_parse_config(struct uci_context *ctx)
}
/* command string null-terminated by strtok */
- pctx->pos += strlen(pctx_cur_str(pctx)) + 1;
+ if (uci_increase_pos(pctx, strlen(pctx_cur_str(pctx) + 1)))
+ return;
ofs_type = next_arg(ctx, true, false, false);
type = pctx_str(pctx, ofs_type);
@@ -471,7 +483,8 @@ static void uci_parse_option(struct uci_context *ctx, bool list)
uci_parse_error(ctx, "option/list command found before the first section");
/* command string null-terminated by strtok */
- pctx->pos += strlen(pctx_cur_str(pctx)) + 1;
+ if (uci_increase_pos(pctx, strlen(pctx_cur_str(pctx) + 1)))
+ return;
ofs_name = next_arg(ctx, true, true, false);
ofs_value = next_arg(ctx, false, false, false);
@@ -33,6 +33,7 @@ struct uci_parse_context
const char *name;
char *buf;
size_t bufsz;
+ size_t buf_filled;
size_t pos;
};
#define pctx_pos(pctx) ((pctx)->pos)
This fixes a heap overflow in the parsing of the uci line. The line which is parsed and put into pctx->buf is null terminated and stored on the heap. In the uci_parse_line() function we use strtok() to split this string in multiple parts after divided by a space or tab. strtok() replaces these characters with a NULL byte. If the next byte is NULL we assume that this NULL byte was added by strtok() and try to parse the string after this NULL byte. If this NULL byte was not added by strtok(), but by fgets() to mark the end of the string we would read over this end of the string in uninitialized memory and later over the allocated buffer. Fix this problem by storing how long the line we read was and check if we would read over the end of the string here. This also adds the input which detected this crash to the corpus of the fuzzer. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> --- file.c | 19 ++++++++++++++++--- uci_internal.h | 1 + 2 files changed, 17 insertions(+), 3 deletions(-)