Date: Tue, 7 Apr 2020 14:14:59 +0000 (UTC) From: Kyle Evans <kevans@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r359689 - head/usr.sbin/config Message-ID: <202004071414.037EEx5Q057793@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: kevans Date: Tue Apr 7 14:14:59 2020 New Revision: 359689 URL: https://svnweb.freebsd.org/changeset/base/359689 Log: config(8): "fix" a couple of buffer overflows Recently added/changed lines in various kernel configs have caused some buffer overflows that went undetected. These were detected with a config built using -fno-common as these line buffers smashed one of our arrays, then further triaged with ASAN. Double the sizes; this is really not a great fix, but addresses the immediate need until someone rewrites config. While here, add some bounds checking so that we don't need to detect this by random bus errors or other weird failures. MFC after: 3 days Modified: head/usr.sbin/config/main.c Modified: head/usr.sbin/config/main.c ============================================================================== --- head/usr.sbin/config/main.c Tue Apr 7 12:57:50 2020 (r359688) +++ head/usr.sbin/config/main.c Tue Apr 7 14:14:59 2020 (r359689) @@ -322,7 +322,7 @@ usage(void) char * get_word(FILE *fp) { - static char line[80]; + static char line[160]; int ch; char *cp; int escaped_nl = 0; @@ -352,11 +352,17 @@ begin: *cp = 0; return (line); } - while ((ch = getc(fp)) != EOF) { + while ((ch = getc(fp)) != EOF && cp < line + sizeof(line)) { if (isspace(ch)) break; *cp++ = ch; } + if (cp >= line + sizeof(line)) { + line[sizeof(line) - 1] = '\0'; + fprintf(stderr, "config: attempted overflow, partial line: `%s'", + line); + exit(2); + } *cp = 0; if (ch == EOF) return ((char *)EOF); @@ -372,7 +378,7 @@ begin: char * get_quoted_word(FILE *fp) { - static char line[256]; + static char line[512]; int ch; char *cp; int escaped_nl = 0; @@ -415,15 +421,29 @@ begin: } if (ch != quote && escaped_nl) *cp++ = '\\'; + if (cp >= line + sizeof(line)) { + line[sizeof(line) - 1] = '\0'; + printf( + "config: line buffer overflow reading partial line `%s'\n", + line); + exit(2); + } *cp++ = ch; escaped_nl = 0; } } else { *cp++ = ch; - while ((ch = getc(fp)) != EOF) { + while ((ch = getc(fp)) != EOF && cp < line + sizeof(line)) { if (isspace(ch)) break; *cp++ = ch; + } + if (cp >= line + sizeof(line)) { + line[sizeof(line) - 1] = '\0'; + printf( + "config: line buffer overflow reading partial line `%s'\n", + line); + exit(2); } if (ch != EOF) (void) ungetc(ch, fp);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202004071414.037EEx5Q057793>