[linux-merge]linux integration; annotated tag, batman-adv-fix-for-davem, created. batman-adv-fix-for-davem
by postmaster@open-mesh.org
The annotated tag, batman-adv-fix-for-davem has been created
at d7ff44cb21aef4d2f2c7492e8ceacb9f2002e805 (tag)
tagging af0a171c07174661db71f92e442d4e6e90984b77 (commit)
replaces v3.15-rc6
tagged by Antonio Quartulli
on Sat May 31 11:18:44 2014 +0200
- Shortlog ------------------------------------------------------------
Included changes:
- prevent NULL dereference in multicast code
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQIcBAABCAAGBQJTiZ58AAoJEJgn97Bh2u9e2x4QAIjWLDIo6feo4jH8l6q6R5iO
cH/EXCtqk9GHNwvfZDNt+pF19ejzVk/TPnmmXTZ4QcElS9GuXe5WdWxiGcS5KEwa
0UNDRp8fgcBSV1Kqc/vbyKiQ4j69QtC1PPfLWUtxj/GYE0qHX/A1OzB9zROvoHJ7
sa3l8O5XRWiaxBYDkT0RfhHH0jeDdvm3I9yt8B+4B6c71094VIsfGXBVPp4tPrdg
nkuzBdwF0HFPiFrlsfboJDLcXPLpRR93H1GsmfELYd5jQ4rtUhlcuEESq6573tvB
TV93tkm/zmbwtInMoPI29qKL8t2478cJH7SvKvM4NiqMsB1zOhknhUXzElh9TPGA
xyNivxJraYJzL53XguBFO8A8fP1k/E8Z6UQXJbgry4lu+6qZ60e0/J8zGxGpSamP
i1JX0MAVPX6T4MAlZ70LMxfmzJ5sSNkkYyXobG+aBa/AgzRsXVvG4So1qi364COx
btCxgBXK1Z20ZuNclY8/J06D8EbTXI5y5MCSDvMCOHQlb5mjBl34RtFVw+5/QXkg
v2suc7T/YLOPNtZktZC2506caPHoOlwEVvkyA55p+qdkcD/Dd5Iv4Hndi+g+C5gv
O2ja7gUQco1R8ElormKW9rE7OvjiUlowNJmguXWAdzc9FC0yISpP66BAGjBqwhF9
6YibEebXMQICjxAVTEAM
=fvfu
-----END PGP SIGNATURE-----
Antonio Quartulli (3):
batman-adv: fix reference counting imbalance while sending fragment
batman-adv: increase orig refcount when storing ref in gw_node
batman-adv: fix local TT check for outgoing arp requests in DAT
Cong Wang (1):
batman: fix a bogus warning from batadv_is_on_batman_iface()
Marek Lindner (2):
batman-adv: fix indirect hard_iface NULL dereference
batman-adv: fix NULL pointer dereferences
Simon Wunderlich (4):
batman-adv: fix neigh_ifinfo imbalance
batman-adv: fix neigh reference imbalance
batman-adv: always run purge_orig_neighbors
batman-adv: fix removing neigh_ifinfo
-----------------------------------------------------------------------
--
linux integration
6 years, 4 months
[linux-merge]linux integration; annotated tag, batman-adv-fix-for-davem, deleted. v3.15-rc4-340-g9d4190d
by postmaster@open-mesh.org
The annotated tag, batman-adv-fix-for-davem has been deleted
was 9668a900d6047e809604995e7702b73f7c6a6243
-----------------------------------------------------------------------
tag batman-adv-fix-for-davem
Included changes:
- prevent NULL dereference in multicast code
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQIcBAABCAAGBQJTgKzSAAoJEJgn97Bh2u9eahkP/jQIVQ4QTavjFyMbKuOmwgzz
QTKagXAycpLdju91sBuHMRpiK67W/2rvwxedRm4nDb5S9fj0ruspKO7k5rHd4grG
pn9t2LX3UXQhjLCwptzxbzfnB5sAoNMShl8OwJDkxrg1N4hL1Giwppa36TBG7fd1
S6NdR6++dICP3SI64cEMxjDqhnJ1xYIPAOijvkeR4b12ew0oT1C/dEUxhVkYh+Gr
EDDzH5ZZg9uNfyOCYDeJugPa9gk3xUO5aWvtVdqdwouuwkCX0EgJDoluQw40Fi3M
l9co1MIEEsvoT2ENdh3gqaET/7UjP2WR7ZdID64Z+/W2w5wk22xwIheAD+0nW3Tj
rRowQh0/W4YGttNeBnJZ4l9o8ncHioZ9+FR4b9scd2y9wCHKIg8ChxKvoHkMIQ7y
31bljKGD5yJBbZXo/0YXPTVLkDglAJRuBhW7vEGlXnDQro7yfCbLuAFh3ejyWsts
uU2IdkzmJabydVXzxwZfseFP+maZ4O/nAUux6Qgp8ZfZKY5rE9frjnTm8Pn6X2J0
EojVQizd2Keo6ZOhU5sqzO8G1bTVuIdCa6VLrbjcHflMCjjz4POI2cLAkeAx9Zop
lkkxPszxLJ2IMxOQtbNp4Os6pVKpb+o+1/JpCnJbJTrx2UiRJkRRwHoCmc1rm/Rf
PSy/d/kBPHYHKZb+C2re
=w7BS
-----END PGP SIGNATURE-----
9d4190df6a21d96238133a9a64866a9c796f4ec8 batman-adv: fix NULL pointer dereferences
-----------------------------------------------------------------------
--
linux integration
6 years, 4 months
[alfred] master: batadv-vis: Avoid file handler leak after failed realloc (3b72283)
by postmaster@open-mesh.org
Repository : ssh://git@open-mesh.org/alfred
On branch : master
>---------------------------------------------------------------
commit 3b722834d20a846594240d6f91706d44cf137bf4
Author: Sven Eckelmann <sven(a)narfation.org>
Date: Tue May 27 17:04:15 2014 +0200
batadv-vis: Avoid file handler leak after failed realloc
The read_file function opens the file and thus has to close the filehandler
after an realloc error. This was forgotten in the fix
0ad384e11ed039d4c3025a7eaf19fe6bcfd41acf ("batadv-vis: Avoid memory leak after
failed realloc").
Signed-off-by: Sven Eckelmann <sven(a)narfation.org>
Signed-off-by: Simon Wunderlich <sw(a)simonwunderlich.de>
>---------------------------------------------------------------
3b722834d20a846594240d6f91706d44cf137bf4
vis/vis.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/vis/vis.c b/vis/vis.c
index f429942..55c2dad 100644
--- a/vis/vis.c
+++ b/vis/vis.c
@@ -56,6 +56,7 @@ static char *read_file(char *fname)
buf_tmp = realloc(buf, size + 4097);
if (!buf_tmp) {
free(buf);
+ fclose(fp);
return NULL;
}
6 years, 4 months
[alfred] master: alfred: Use memleak/error path free implementation of hash_resize (6bbde09)
by postmaster@open-mesh.org
Repository : ssh://git@open-mesh.org/alfred
On branch : master
>---------------------------------------------------------------
commit 6bbde09388eaff7998d0d1e87d86d8550e8bacb9
Author: Sven Eckelmann <sven(a)narfation.org>
Date: Sat May 24 16:00:34 2014 +0200
alfred: Use memleak/error path free implementation of hash_resize
The current implementation of hash_resize uses hash_add directly to initialize
two a new hash table. But hash_add has two error cases: Data already exists and
malloc fails.
The check for the duplicated data is not really harmful (beside increasing the
time to re-add elements) but the malloc can potentially return an error. This
malloc is unnecessary and just takes extra time and is a potential candidate
for errors. Instead the bucket from the old hash table can be re-used.
Signed-off-by: Sven Eckelmann <sven(a)narfation.org>
Signed-off-by: Simon Wunderlich <sw(a)simonwunderlich.de>
>---------------------------------------------------------------
6bbde09388eaff7998d0d1e87d86d8550e8bacb9
hash.c | 72 +++++++++++++++++++++++++++++++++++++++-------------------------
1 file changed, 44 insertions(+), 28 deletions(-)
diff --git a/hash.c b/hash.c
index 4b3106e..fd85a0f 100644
--- a/hash.c
+++ b/hash.c
@@ -63,6 +63,40 @@ void hash_delete(struct hashtable_t *hash, hashdata_free_cb free_cb)
hash_destroy(hash);
}
+/* adds data to the hashtable and reuse bucket.
+ * returns 0 on success, -1 on error */
+static int hash_add_bucket(struct hashtable_t *hash, void *data,
+ struct element_t *bucket, int check_duplicate)
+{
+ int index;
+ struct element_t *bucket_it, *prev_bucket = NULL;
+
+ index = hash->choose(data, hash->size);
+ bucket_it = hash->table[index];
+
+ while (bucket_it != NULL) {
+ if (check_duplicate &&
+ hash->compare(bucket_it->data, data))
+ return -1;
+
+ prev_bucket = bucket_it;
+ bucket_it = bucket_it->next;
+ }
+
+ /* init the new bucket */
+ bucket->data = data;
+ bucket->next = NULL;
+
+ /* and link it */
+ if (prev_bucket == NULL)
+ hash->table[index] = bucket;
+ else
+ prev_bucket->next = bucket;
+
+ hash->elements++;
+ return 0;
+}
+
/* free only the hashtable and the hash itself. */
void hash_destroy(struct hashtable_t *hash)
{
@@ -186,19 +220,8 @@ struct hashtable_t *hash_new(int size, hashdata_compare_cb compare,
/* adds data to the hashtable. returns 0 on success, -1 on error */
int hash_add(struct hashtable_t *hash, void *data)
{
- int index;
- struct element_t *bucket, *prev_bucket = NULL;
-
- index = hash->choose(data, hash->size);
- bucket = hash->table[index];
-
- while (bucket != NULL) {
- if (hash->compare(bucket->data, data))
- return -1;
-
- prev_bucket = bucket;
- bucket = bucket->next;
- }
+ int ret;
+ struct element_t *bucket;
/* found the tail of the list, add new element */
bucket = debugMalloc(sizeof(struct element_t), 304);
@@ -206,18 +229,11 @@ int hash_add(struct hashtable_t *hash, void *data)
if (!bucket)
return -1;
- /* init the new bucket */
- bucket->data = data;
- bucket->next = NULL;
-
- /* and link it */
- if (prev_bucket == NULL)
- hash->table[index] = bucket;
- else
- prev_bucket->next = bucket;
+ ret = hash_add_bucket(hash, data, bucket, 1);
+ if (ret < 0)
+ debugFree(bucket, 1307);
- hash->elements++;
- return 0;
+ return ret;
}
/* finds data, based on the key in keydata. returns the found data on success,
@@ -307,10 +323,10 @@ struct hashtable_t *hash_resize(struct hashtable_t *hash, int size)
/* copy the elements */
for (i = 0; i < hash->size; i++) {
- bucket = hash->table[i];
- while (bucket != NULL) {
- hash_add(new_hash, bucket->data);
- bucket = bucket->next;
+ while (hash->table[i]) {
+ bucket = hash->table[i];
+ hash->table[i] = bucket->next;
+ hash_add_bucket(new_hash, bucket->data, bucket, 0);
}
}
/* remove hash and eventual overflow buckets but not the
6 years, 4 months
[alfred] master: alfred: Free hash iterator when breaking out of loop (0edc5b8)
by postmaster@open-mesh.org
Repository : ssh://git@open-mesh.org/alfred
On branch : master
>---------------------------------------------------------------
commit 0edc5b8580788a0ba9baeae776c42c078875a396
Author: Sven Eckelmann <sven(a)narfation.org>
Date: Sat May 24 13:44:13 2014 +0200
alfred: Free hash iterator when breaking out of loop
The hash iterator is automatically allocated and freed by the hash_iterate
function. But when using break during the iteration loop, the caller has to
handle the free-operation of the hash_iterator to avoid memory leaks.
Signed-off-by: Sven Eckelmann <sven(a)narfation.org>
Signed-off-by: Simon Wunderlich <sw(a)simonwunderlich.de>
>---------------------------------------------------------------
0edc5b8580788a0ba9baeae776c42c078875a396
hash.c | 8 +++++++-
hash.h | 3 +++
unix_sock.c | 1 +
3 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/hash.c b/hash.c
index e1fd299..4b3106e 100644
--- a/hash.c
+++ b/hash.c
@@ -70,6 +70,12 @@ void hash_destroy(struct hashtable_t *hash)
debugFree(hash, 1303);
}
+/* free hash_it_t pointer when stopping hash_iterate early */
+void hash_iterate_free(struct hash_it_t *iter_in)
+{
+ debugFree(iter_in, 1304);
+}
+
/* iterate though the hash. first element is selected with iter_in NULL.
* use the returned iterator to access the elements until hash_it_t returns
* NULL. */
@@ -149,7 +155,7 @@ struct hash_it_t *hash_iterate(struct hashtable_t *hash,
}
/* nothing to iterate over anymore */
- debugFree(iter, 1304);
+ hash_iterate_free(iter);
return NULL;
}
diff --git a/hash.h b/hash.h
index bb77f75..c9c8fb1 100644
--- a/hash.h
+++ b/hash.h
@@ -102,4 +102,7 @@ void hash_debug(struct hashtable_t *hash);
struct hash_it_t *hash_iterate(struct hashtable_t *hash,
struct hash_it_t *iter_in);
+/* free hash_it_t pointer when stopping hash_iterate early */
+void hash_iterate_free(struct hash_it_t *iter_in);
+
#endif
diff --git a/unix_sock.c b/unix_sock.c
index 4553db5..3915553 100644
--- a/unix_sock.c
+++ b/unix_sock.c
@@ -192,6 +192,7 @@ static int unix_sock_req_data_reply(struct globals *globals, int client_sock,
if (write(client_sock, buf, sizeof(push->header) + len) < 0) {
ret = -1;
+ hash_iterate_free(hashit);
break;
}
}
6 years, 4 months
[alfred] master: alfred: Fix length check for push_data (39a7d35)
by postmaster@open-mesh.org
Repository : ssh://git@open-mesh.org/alfred
On branch : master
>---------------------------------------------------------------
commit 39a7d3526aeb06fc992a15634f11512ec0c563ae
Author: Sven Eckelmann <sven(a)narfation.org>
Date: Sat May 24 13:44:15 2014 +0200
alfred: Fix length check for push_data
The client receives the push_data header and the header of a data_block when
it tries to parse the answer of an request. The remaining buffer size to store
the actual data has to remove these two headers from its available, original
buffer size. The read of the data would otherwise (potentially) overflow
the output buffer.
Signed-off-by: Sven Eckelmann <sven(a)narfation.org>
[sw: fixed sign in buf_data_len for sizeof(*data)]
Signed-off-by: Simon Wunderlich <sw(a)simonwunderlich.de>
>---------------------------------------------------------------
39a7d3526aeb06fc992a15634f11512ec0c563ae
client.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/client.c b/client.c
index 3670f4f..cbc6867 100644
--- a/client.c
+++ b/client.c
@@ -38,6 +38,7 @@ int alfred_client_request_data(struct globals *globals)
struct alfred_tlv *tlv;
struct alfred_data *data;
int ret, len, data_len, i;
+ const size_t buf_data_len = sizeof(buf) - sizeof(*push) - sizeof(*data);
if (unix_sock_open_client(globals, ALFRED_SOCK_PATH))
return -1;
@@ -88,7 +89,7 @@ int alfred_client_request_data(struct globals *globals)
data_len = ntohs(data->header.length);
/* would it fit? it should! */
- if (data_len > (int)(sizeof(buf) - sizeof(*push)))
+ if (data_len > (int)buf_data_len)
break;
/* read the data */
6 years, 4 months
[alfred] master: alfred: Handle fcntl error return codes (217c8de)
by postmaster@open-mesh.org
Repository : ssh://git@open-mesh.org/alfred
On branch : master
>---------------------------------------------------------------
commit 217c8deb9484d1705bf26523b77dba7503d4d131
Author: Sven Eckelmann <sven(a)narfation.org>
Date: Sat May 24 13:44:14 2014 +0200
alfred: Handle fcntl error return codes
fcntl doesn't return non-error return values when starting a F_GETFL operation.
These have to be handled or otherwise a garbage value is given to fcntl for
the F_SETFL operation.
Signed-off-by: Sven Eckelmann <sven(a)narfation.org>
Signed-off-by: Simon Wunderlich <sw(a)simonwunderlich.de>
>---------------------------------------------------------------
217c8deb9484d1705bf26523b77dba7503d4d131
netsock.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/netsock.c b/netsock.c
index 8712c11..305983f 100644
--- a/netsock.c
+++ b/netsock.c
@@ -48,6 +48,7 @@ int netsock_open(struct globals *globals)
int sock;
struct sockaddr_in6 sin6;
struct ifreq ifr;
+ int ret;
globals->netsock = -1;
@@ -86,7 +87,18 @@ int netsock_open(struct globals *globals)
goto err;
}
- fcntl(sock, F_SETFL, fcntl(sock, F_GETFL, 0) | O_NONBLOCK);
+ ret = fcntl(sock, F_GETFL, 0);
+ if (ret < 0) {
+ fprintf(stderr, "failed to get file status flags\n");
+ goto err;
+ }
+
+ ret = fcntl(sock, F_SETFL, ret | O_NONBLOCK);
+ if (ret < 0) {
+ fprintf(stderr, "failed to set file status flags\n");
+ goto err;
+ }
+
globals->netsock = sock;
return 0;
6 years, 4 months
[alfred] master: alfred: Use strncpy instead of strcpy for string copy (71dbc00)
by postmaster@open-mesh.org
Repository : ssh://git@open-mesh.org/alfred
On branch : master
>---------------------------------------------------------------
commit 71dbc00fd879f1e592b07d8397f724fb3f69ac64
Author: Sven Eckelmann <sven(a)narfation.org>
Date: Sat May 24 13:44:12 2014 +0200
alfred: Use strncpy instead of strcpy for string copy
The data used in strcpy is partially provided by the user. This can be larger
than the destination buffer and thus overwrite data after the actual string
buffer. This can easily be avoided by using strncpy.
Signed-off-by: Sven Eckelmann <sven(a)narfation.org>
Signed-off-by: Simon Wunderlich <sw(a)simonwunderlich.de>
>---------------------------------------------------------------
71dbc00fd879f1e592b07d8397f724fb3f69ac64
debugfs.c | 4 +++-
gpsd/alfred-gpsd.c | 18 +++++++++++++++---
unix_sock.c | 6 ++++--
vis/vis.c | 3 ++-
4 files changed, 24 insertions(+), 7 deletions(-)
diff --git a/debugfs.c b/debugfs.c
index adada7c..4b8801a 100644
--- a/debugfs.c
+++ b/debugfs.c
@@ -78,7 +78,9 @@ static const char *debugfs_find_mountpoint(void)
while (*ptr) {
if (debugfs_valid_mountpoint(*ptr) == 0) {
debugfs_found = 1;
- strcpy(debugfs_mountpoint, *ptr);
+ strncpy(debugfs_mountpoint, *ptr,
+ sizeof(debugfs_mountpoint));
+ debugfs_mountpoint[sizeof(debugfs_mountpoint) - 1] = 0;
return debugfs_mountpoint;
}
ptr++;
diff --git a/gpsd/alfred-gpsd.c b/gpsd/alfred-gpsd.c
index 089f2af..84a0ded 100644
--- a/gpsd/alfred-gpsd.c
+++ b/gpsd/alfred-gpsd.c
@@ -36,7 +36,8 @@ static int alfred_open_sock(struct globals *globals)
memset(&addr, 0, sizeof(addr));
addr.sun_family = AF_LOCAL;
- strcpy(addr.sun_path, ALFRED_SOCK_PATH);
+ strncpy(addr.sun_path, ALFRED_SOCK_PATH, sizeof(addr.sun_path));
+ addr.sun_path[sizeof(addr.sun_path) - 1] = '\0';
if (connect(globals->unix_sock, (struct sockaddr *)&addr,
sizeof(addr)) < 0) {
@@ -300,6 +301,10 @@ static void gpsd_read_gpsd(struct globals *globals)
size_t cnt;
bool eol = false;
char buf[4096];
+ const size_t tpv_size = sizeof(*globals->buf) -
+ sizeof(*globals->push) -
+ sizeof(struct alfred_data) -
+ sizeof(*globals->gpsd_data);
cnt = 0;
do {
@@ -328,7 +333,9 @@ static void gpsd_read_gpsd(struct globals *globals)
#define STARTSWITH(str, prefix) strncmp(str, prefix, sizeof(prefix)-1)==0
if (STARTSWITH(buf, "{\"class\":\"TPV\"")) {
- strcpy(globals->gpsd_data->tpv, buf);
+ strncpy(globals->gpsd_data->tpv, buf, tpv_size);
+ globals->gpsd_data->tpv[tpv_size - 1] = '\0';
+
globals->gpsd_data->tpv_len =
htonl(strlen(globals->gpsd_data->tpv) + 1);
}
@@ -443,6 +450,10 @@ static int gpsd_server(struct globals *globals)
int max_fd, ret;
const size_t overhead = sizeof(*globals->push) +
sizeof(struct alfred_data);
+ const size_t tpv_size = sizeof(*globals->buf) -
+ sizeof(*globals->push) -
+ sizeof(struct alfred_data) -
+ sizeof(*globals->gpsd_data);
long interval;
globals->push = (struct alfred_push_data_v0 *) globals->buf;
@@ -456,7 +467,8 @@ static int gpsd_server(struct globals *globals)
globals->push->data->header.type = GPSD_PACKETTYPE;
globals->push->data->header.version = GPSD_PACKETVERSION;
- strcpy(globals->gpsd_data->tpv, GPSD_INIT_TPV);
+ strncpy(globals->gpsd_data->tpv, GPSD_INIT_TPV, tpv_size);
+ globals->gpsd_data->tpv[tpv_size - 1] = '\0';
globals->gpsd_data->tpv_len =
htonl(strlen(globals->gpsd_data->tpv) + 1);
diff --git a/unix_sock.c b/unix_sock.c
index 8251c81..4553db5 100644
--- a/unix_sock.c
+++ b/unix_sock.c
@@ -50,7 +50,8 @@ int unix_sock_open_daemon(struct globals *globals, const char *path)
memset(&addr, 0, sizeof(addr));
addr.sun_family = AF_LOCAL;
- strcpy(addr.sun_path, path);
+ strncpy(addr.sun_path, path, sizeof(addr.sun_path));
+ addr.sun_path[sizeof(addr.sun_path) - 1] = '\0';
if (bind(globals->unix_sock, (struct sockaddr *)&addr,
sizeof(addr)) < 0) {
@@ -81,7 +82,8 @@ int unix_sock_open_client(struct globals *globals, const char *path)
memset(&addr, 0, sizeof(addr));
addr.sun_family = AF_LOCAL;
- strcpy(addr.sun_path, path);
+ strncpy(addr.sun_path, path, sizeof(addr.sun_path));
+ addr.sun_path[sizeof(addr.sun_path) - 1] = '\0';
if (connect(globals->unix_sock, (struct sockaddr *)&addr,
sizeof(addr)) < 0) {
diff --git a/vis/vis.c b/vis/vis.c
index 2928d65..f429942 100644
--- a/vis/vis.c
+++ b/vis/vis.c
@@ -168,7 +168,8 @@ static int alfred_open_sock(struct globals *globals)
memset(&addr, 0, sizeof(addr));
addr.sun_family = AF_LOCAL;
- strcpy(addr.sun_path, ALFRED_SOCK_PATH);
+ strncpy(addr.sun_path, ALFRED_SOCK_PATH, sizeof(addr.sun_path));
+ addr.sun_path[sizeof(addr.sun_path) - 1] = '\0';
if (connect(globals->unix_sock, (struct sockaddr *)&addr,
sizeof(addr)) < 0) {
6 years, 4 months
[alfred] master: batadv-vis: Avoid invalid access in orig_list (807ce0f)
by postmaster@open-mesh.org
Repository : ssh://git@open-mesh.org/alfred
On branch : master
>---------------------------------------------------------------
commit 807ce0f505ea1057dd83234106d288fe8d60d9a4
Author: Sven Eckelmann <sven(a)narfation.org>
Date: Sat May 24 13:44:10 2014 +0200
batadv-vis: Avoid invalid access in orig_list
The orig list parsing tries to gather information from 4 columns for each line.
The second part of the parsing routine should only be started when all
columns could be found. Otherwise parts of the variables are uninitialized.
Dereferencing iface in such a situation can cause a segfault.
Signed-off-by: Sven Eckelmann <sven(a)narfation.org>
Signed-off-by: Simon Wunderlich <sw(a)simonwunderlich.de>
>---------------------------------------------------------------
807ce0f505ea1057dd83234106d288fe8d60d9a4
vis/vis.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/vis/vis.c b/vis/vis.c
index 31f60d7..2928d65 100644
--- a/vis/vis.c
+++ b/vis/vis.c
@@ -350,7 +350,7 @@ static int parse_orig_list(struct globals *globals)
default: break;
}
}
- if (tnum >= 4) {
+ if (tnum > 4) {
if (strcmp(dest, neigh) == 0) {
tq_val = strtol(tq, NULL, 10);
if (tq_val < 1 || tq_val > 255)
6 years, 4 months
[alfred] master: alfred: Force null termination of string after strncpy (9f42617)
by postmaster@open-mesh.org
Repository : ssh://git@open-mesh.org/alfred
On branch : master
>---------------------------------------------------------------
commit 9f426172712daa5f502743070d4cca3309366dd4
Author: Sven Eckelmann <sven(a)narfation.org>
Date: Sat May 24 13:44:07 2014 +0200
alfred: Force null termination of string after strncpy
strncpy doesn't terminate the string with a '\0' character when the length
of the destination memory location was shorter than the source string.
Accessing it again with string related functions isn't safe after such a
semi-failed copy and the caller has to handle it. The easiest way is to
always set the last character in the destination buffer to '\0' after the
strncpy was called.
Signed-off-by: Sven Eckelmann <sven(a)narfation.org>
Signed-off-by: Simon Wunderlich <sw(a)simonwunderlich.de>
>---------------------------------------------------------------
9f426172712daa5f502743070d4cca3309366dd4
debugfs.c | 1 +
netsock.c | 1 +
server.c | 1 +
vis/vis.c | 1 +
4 files changed, 4 insertions(+)
diff --git a/debugfs.c b/debugfs.c
index 1e9418d..adada7c 100644
--- a/debugfs.c
+++ b/debugfs.c
@@ -154,6 +154,7 @@ char *debugfs_mount(const char *mountpoint)
/* save the mountpoint */
strncpy(debugfs_mountpoint, mountpoint, sizeof(debugfs_mountpoint));
+ debugfs_mountpoint[sizeof(debugfs_mountpoint) - 1] = '\0';
debugfs_found = 1;
return debugfs_mountpoint;
diff --git a/netsock.c b/netsock.c
index 08d2959..8712c11 100644
--- a/netsock.c
+++ b/netsock.c
@@ -59,6 +59,7 @@ int netsock_open(struct globals *globals)
memset(&ifr, 0, sizeof(ifr));
strncpy(ifr.ifr_name, globals->interface, IFNAMSIZ);
+ ifr.ifr_name[IFNAMSIZ - 1] = '\0';
if (ioctl(sock, SIOCGIFINDEX, &ifr) == -1) {
fprintf(stderr, "can't get interface: %s\n", strerror(errno));
goto err;
diff --git a/server.c b/server.c
index fdd97d4..e4465dc 100644
--- a/server.c
+++ b/server.c
@@ -242,6 +242,7 @@ static void check_if_socket(struct globals *globals)
memset(&ifr, 0, sizeof(ifr));
strncpy(ifr.ifr_name, globals->interface, IFNAMSIZ);
+ ifr.ifr_name[IFNAMSIZ - 1] = '\0';
if (ioctl(sock, SIOCGIFINDEX, &ifr) == -1) {
fprintf(stderr, "can't get interface: %s, closing netsock\n",
strerror(errno));
diff --git a/vis/vis.c b/vis/vis.c
index b51fede..9031b27 100644
--- a/vis/vis.c
+++ b/vis/vis.c
@@ -102,6 +102,7 @@ static int get_if_mac(char *ifname, uint8_t *mac)
int sock, ret;
strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
+ ifr.ifr_name[IFNAMSIZ - 1] = '\0';
if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
fprintf(stderr, "can't get interface: %s\n", strerror(errno));
6 years, 4 months