Date: Tue, 22 Sep 2015 16:59:42 +0000 (UTC) From: Dmitry Marakasov <amdmi3@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r288120 - head/usr.sbin/ndiscvt Message-ID: <201509221659.t8MGxgjg036043@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: amdmi3 (ports committer) Date: Tue Sep 22 16:59:41 2015 New Revision: 288120 URL: https://svnweb.freebsd.org/changeset/base/288120 Log: Fix crash on parsing some inf files ndiscvt uses 16 entry array for words into which it parses comma-separated lists of strings, like AddReg line in [somesection] AddReg = foo.reg, bar.reg, baz.reg, quiz.reg Overflows were not checked so it crashed on a line with 17 words encountered in some Broadcom/Dell Wireless 1704 802.11b-g-n driver So extend the array up to 32 entries and add an overflow check. Reviewed by: bapt Approved by: bapt MFC after: 2 weeks Differential Revision: D3713 Modified: head/usr.sbin/ndiscvt/inf.c head/usr.sbin/ndiscvt/inf.h Modified: head/usr.sbin/ndiscvt/inf.c ============================================================================== --- head/usr.sbin/ndiscvt/inf.c Tue Sep 22 16:51:40 2015 (r288119) +++ head/usr.sbin/ndiscvt/inf.c Tue Sep 22 16:59:41 2015 (r288120) @@ -887,6 +887,12 @@ regkey_add (const char *r) void push_word (const char *w) { + + if (idx == W_MAX) { + fprintf(stderr, "too many words; try bumping W_MAX in inf.h\n"); + exit(1); + } + if (w && strlen(w)) words[idx++] = w; else Modified: head/usr.sbin/ndiscvt/inf.h ============================================================================== --- head/usr.sbin/ndiscvt/inf.h Tue Sep 22 16:51:40 2015 (r288119) +++ head/usr.sbin/ndiscvt/inf.h Tue Sep 22 16:59:41 2015 (r288120) @@ -4,7 +4,7 @@ * $FreeBSD$ */ -#define W_MAX 16 +#define W_MAX 32 struct section { const char * name;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201509221659.t8MGxgjg036043>