commits May 2014

commits@lists.open-mesh.org

1 participants
88 discussions

[linux-merge]linux integration; annotated tag, batman-adv-fix-for-davem, created. batman-adv-fix-for-davem
by postmaster＠open-mesh.org 31 May '14

31 May '14

The annotated tag, batman-adv-fix-for-davem has been created at d7ff44cb21aef4d2f2c7492e8ceacb9f2002e805 (tag) tagging af0a171c07174661db71f92e442d4e6e90984b77 (commit) replaces v3.15-rc6 tagged by Antonio Quartulli on Sat May 31 11:18:44 2014 +0200 - Shortlog ------------------------------------------------------------ Included changes: - prevent NULL dereference in multicast code -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAABCAAGBQJTiZ58AAoJEJgn97Bh2u9e2x4QAIjWLDIo6feo4jH8l6q6R5iO cH/EXCtqk9GHNwvfZDNt+pF19ejzVk/TPnmmXTZ4QcElS9GuXe5WdWxiGcS5KEwa 0UNDRp8fgcBSV1Kqc/vbyKiQ4j69QtC1PPfLWUtxj/GYE0qHX/A1OzB9zROvoHJ7 sa3l8O5XRWiaxBYDkT0RfhHH0jeDdvm3I9yt8B+4B6c71094VIsfGXBVPp4tPrdg nkuzBdwF0HFPiFrlsfboJDLcXPLpRR93H1GsmfELYd5jQ4rtUhlcuEESq6573tvB TV93tkm/zmbwtInMoPI29qKL8t2478cJH7SvKvM4NiqMsB1zOhknhUXzElh9TPGA xyNivxJraYJzL53XguBFO8A8fP1k/E8Z6UQXJbgry4lu+6qZ60e0/J8zGxGpSamP i1JX0MAVPX6T4MAlZ70LMxfmzJ5sSNkkYyXobG+aBa/AgzRsXVvG4So1qi364COx btCxgBXK1Z20ZuNclY8/J06D8EbTXI5y5MCSDvMCOHQlb5mjBl34RtFVw+5/QXkg v2suc7T/YLOPNtZktZC2506caPHoOlwEVvkyA55p+qdkcD/Dd5Iv4Hndi+g+C5gv O2ja7gUQco1R8ElormKW9rE7OvjiUlowNJmguXWAdzc9FC0yISpP66BAGjBqwhF9 6YibEebXMQICjxAVTEAM =fvfu -----END PGP SIGNATURE----- Antonio Quartulli (3): batman-adv: fix reference counting imbalance while sending fragment batman-adv: increase orig refcount when storing ref in gw_node batman-adv: fix local TT check for outgoing arp requests in DAT Cong Wang (1): batman: fix a bogus warning from batadv_is_on_batman_iface() Marek Lindner (2): batman-adv: fix indirect hard_iface NULL dereference batman-adv: fix NULL pointer dereferences Simon Wunderlich (4): batman-adv: fix neigh_ifinfo imbalance batman-adv: fix neigh reference imbalance batman-adv: always run purge_orig_neighbors batman-adv: fix removing neigh_ifinfo ----------------------------------------------------------------------- -- linux integration

1 0

[linux-merge]linux integration; annotated tag, batman-adv-fix-for-davem, deleted. v3.15-rc4-340-g9d4190d
by postmaster＠open-mesh.org 31 May '14

31 May '14

The annotated tag, batman-adv-fix-for-davem has been deleted was 9668a900d6047e809604995e7702b73f7c6a6243 ----------------------------------------------------------------------- tag batman-adv-fix-for-davem Included changes: - prevent NULL dereference in multicast code -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAABCAAGBQJTgKzSAAoJEJgn97Bh2u9eahkP/jQIVQ4QTavjFyMbKuOmwgzz QTKagXAycpLdju91sBuHMRpiK67W/2rvwxedRm4nDb5S9fj0ruspKO7k5rHd4grG pn9t2LX3UXQhjLCwptzxbzfnB5sAoNMShl8OwJDkxrg1N4hL1Giwppa36TBG7fd1 S6NdR6++dICP3SI64cEMxjDqhnJ1xYIPAOijvkeR4b12ew0oT1C/dEUxhVkYh+Gr EDDzH5ZZg9uNfyOCYDeJugPa9gk3xUO5aWvtVdqdwouuwkCX0EgJDoluQw40Fi3M l9co1MIEEsvoT2ENdh3gqaET/7UjP2WR7ZdID64Z+/W2w5wk22xwIheAD+0nW3Tj rRowQh0/W4YGttNeBnJZ4l9o8ncHioZ9+FR4b9scd2y9wCHKIg8ChxKvoHkMIQ7y 31bljKGD5yJBbZXo/0YXPTVLkDglAJRuBhW7vEGlXnDQro7yfCbLuAFh3ejyWsts uU2IdkzmJabydVXzxwZfseFP+maZ4O/nAUux6Qgp8ZfZKY5rE9frjnTm8Pn6X2J0 EojVQizd2Keo6ZOhU5sqzO8G1bTVuIdCa6VLrbjcHflMCjjz4POI2cLAkeAx9Zop lkkxPszxLJ2IMxOQtbNp4Os6pVKpb+o+1/JpCnJbJTrx2UiRJkRRwHoCmc1rm/Rf PSy/d/kBPHYHKZb+C2re =w7BS -----END PGP SIGNATURE----- 9d4190df6a21d96238133a9a64866a9c796f4ec8 batman-adv: fix NULL pointer dereferences ----------------------------------------------------------------------- -- linux integration

1 0

[alfred] master: batadv-vis: Avoid file handler leak after failed realloc (3b72283)
by postmaster＠open-mesh.org 27 May '14

27 May '14

Repository : ssh://git@open-mesh.org/alfred On branch : master >--------------------------------------------------------------- commit 3b722834d20a846594240d6f91706d44cf137bf4 Author: Sven Eckelmann <sven(a)narfation.org> Date: Tue May 27 17:04:15 2014 +0200 batadv-vis: Avoid file handler leak after failed realloc The read_file function opens the file and thus has to close the filehandler after an realloc error. This was forgotten in the fix 0ad384e11ed039d4c3025a7eaf19fe6bcfd41acf ("batadv-vis: Avoid memory leak after failed realloc"). Signed-off-by: Sven Eckelmann <sven(a)narfation.org> Signed-off-by: Simon Wunderlich <sw(a)simonwunderlich.de> >--------------------------------------------------------------- 3b722834d20a846594240d6f91706d44cf137bf4 vis/vis.c | 1 + 1 file changed, 1 insertion(+) diff --git a/vis/vis.c b/vis/vis.c index f429942..55c2dad 100644 --- a/vis/vis.c +++ b/vis/vis.c @@ -56,6 +56,7 @@ static char *read_file(char *fname) buf_tmp = realloc(buf, size + 4097); if (!buf_tmp) { free(buf); + fclose(fp); return NULL; }

1 0

[alfred] master: alfred: Use memleak/error path free implementation of hash_resize (6bbde09)
by postmaster＠open-mesh.org 27 May '14

27 May '14

Repository : ssh://git@open-mesh.org/alfred On branch : master >--------------------------------------------------------------- commit 6bbde09388eaff7998d0d1e87d86d8550e8bacb9 Author: Sven Eckelmann <sven(a)narfation.org> Date: Sat May 24 16:00:34 2014 +0200 alfred: Use memleak/error path free implementation of hash_resize The current implementation of hash_resize uses hash_add directly to initialize two a new hash table. But hash_add has two error cases: Data already exists and malloc fails. The check for the duplicated data is not really harmful (beside increasing the time to re-add elements) but the malloc can potentially return an error. This malloc is unnecessary and just takes extra time and is a potential candidate for errors. Instead the bucket from the old hash table can be re-used. Signed-off-by: Sven Eckelmann <sven(a)narfation.org> Signed-off-by: Simon Wunderlich <sw(a)simonwunderlich.de> >--------------------------------------------------------------- 6bbde09388eaff7998d0d1e87d86d8550e8bacb9 hash.c | 72 +++++++++++++++++++++++++++++++++++++++------------------------- 1 file changed, 44 insertions(+), 28 deletions(-) diff --git a/hash.c b/hash.c index 4b3106e..fd85a0f 100644 --- a/hash.c +++ b/hash.c @@ -63,6 +63,40 @@ void hash_delete(struct hashtable_t *hash, hashdata_free_cb free_cb) hash_destroy(hash); } +/* adds data to the hashtable and reuse bucket. + * returns 0 on success, -1 on error */ +static int hash_add_bucket(struct hashtable_t *hash, void *data, + struct element_t *bucket, int check_duplicate) +{ + int index; + struct element_t *bucket_it, *prev_bucket = NULL; + + index = hash->choose(data, hash->size); + bucket_it = hash->table[index]; + + while (bucket_it != NULL) { + if (check_duplicate && + hash->compare(bucket_it->data, data)) + return -1; + + prev_bucket = bucket_it; + bucket_it = bucket_it->next; + } + + /* init the new bucket */ + bucket->data = data; + bucket->next = NULL; + + /* and link it */ + if (prev_bucket == NULL) + hash->table[index] = bucket; + else + prev_bucket->next = bucket; + + hash->elements++; + return 0; +} + /* free only the hashtable and the hash itself. */ void hash_destroy(struct hashtable_t *hash) { @@ -186,19 +220,8 @@ struct hashtable_t *hash_new(int size, hashdata_compare_cb compare, /* adds data to the hashtable. returns 0 on success, -1 on error */ int hash_add(struct hashtable_t *hash, void *data) { - int index; - struct element_t *bucket, *prev_bucket = NULL; - - index = hash->choose(data, hash->size); - bucket = hash->table[index]; - - while (bucket != NULL) { - if (hash->compare(bucket->data, data)) - return -1; - - prev_bucket = bucket; - bucket = bucket->next; - } + int ret; + struct element_t *bucket; /* found the tail of the list, add new element */ bucket = debugMalloc(sizeof(struct element_t), 304); @@ -206,18 +229,11 @@ int hash_add(struct hashtable_t *hash, void *data) if (!bucket) return -1; - /* init the new bucket */ - bucket->data = data; - bucket->next = NULL; - - /* and link it */ - if (prev_bucket == NULL) - hash->table[index] = bucket; - else - prev_bucket->next = bucket; + ret = hash_add_bucket(hash, data, bucket, 1); + if (ret < 0) + debugFree(bucket, 1307); - hash->elements++; - return 0; + return ret; } /* finds data, based on the key in keydata. returns the found data on success, @@ -307,10 +323,10 @@ struct hashtable_t *hash_resize(struct hashtable_t *hash, int size) /* copy the elements */ for (i = 0; i < hash->size; i++) { - bucket = hash->table[i]; - while (bucket != NULL) { - hash_add(new_hash, bucket->data); - bucket = bucket->next; + while (hash->table[i]) { + bucket = hash->table[i]; + hash->table[i] = bucket->next; + hash_add_bucket(new_hash, bucket->data, bucket, 0); } } /* remove hash and eventual overflow buckets but not the

1 0

[alfred] master: alfred: Free hash iterator when breaking out of loop (0edc5b8)
by postmaster＠open-mesh.org 27 May '14

27 May '14

Repository : ssh://git@open-mesh.org/alfred On branch : master >--------------------------------------------------------------- commit 0edc5b8580788a0ba9baeae776c42c078875a396 Author: Sven Eckelmann <sven(a)narfation.org> Date: Sat May 24 13:44:13 2014 +0200 alfred: Free hash iterator when breaking out of loop The hash iterator is automatically allocated and freed by the hash_iterate function. But when using break during the iteration loop, the caller has to handle the free-operation of the hash_iterator to avoid memory leaks. Signed-off-by: Sven Eckelmann <sven(a)narfation.org> Signed-off-by: Simon Wunderlich <sw(a)simonwunderlich.de> >--------------------------------------------------------------- 0edc5b8580788a0ba9baeae776c42c078875a396 hash.c | 8 +++++++- hash.h | 3 +++ unix_sock.c | 1 + 3 files changed, 11 insertions(+), 1 deletion(-) diff --git a/hash.c b/hash.c index e1fd299..4b3106e 100644 --- a/hash.c +++ b/hash.c @@ -70,6 +70,12 @@ void hash_destroy(struct hashtable_t *hash) debugFree(hash, 1303); } +/* free hash_it_t pointer when stopping hash_iterate early */ +void hash_iterate_free(struct hash_it_t *iter_in) +{ + debugFree(iter_in, 1304); +} + /* iterate though the hash. first element is selected with iter_in NULL. * use the returned iterator to access the elements until hash_it_t returns * NULL. */ @@ -149,7 +155,7 @@ struct hash_it_t *hash_iterate(struct hashtable_t *hash, } /* nothing to iterate over anymore */ - debugFree(iter, 1304); + hash_iterate_free(iter); return NULL; } diff --git a/hash.h b/hash.h index bb77f75..c9c8fb1 100644 --- a/hash.h +++ b/hash.h @@ -102,4 +102,7 @@ void hash_debug(struct hashtable_t *hash); struct hash_it_t *hash_iterate(struct hashtable_t *hash, struct hash_it_t *iter_in); +/* free hash_it_t pointer when stopping hash_iterate early */ +void hash_iterate_free(struct hash_it_t *iter_in); + #endif diff --git a/unix_sock.c b/unix_sock.c index 4553db5..3915553 100644 --- a/unix_sock.c +++ b/unix_sock.c @@ -192,6 +192,7 @@ static int unix_sock_req_data_reply(struct globals *globals, int client_sock, if (write(client_sock, buf, sizeof(push->header) + len) < 0) { ret = -1; + hash_iterate_free(hashit); break; } }

1 0

[alfred] master: alfred: Fix length check for push_data (39a7d35)
by postmaster＠open-mesh.org 27 May '14

27 May '14

Repository : ssh://git@open-mesh.org/alfred On branch : master >--------------------------------------------------------------- commit 39a7d3526aeb06fc992a15634f11512ec0c563ae Author: Sven Eckelmann <sven(a)narfation.org> Date: Sat May 24 13:44:15 2014 +0200 alfred: Fix length check for push_data The client receives the push_data header and the header of a data_block when it tries to parse the answer of an request. The remaining buffer size to store the actual data has to remove these two headers from its available, original buffer size. The read of the data would otherwise (potentially) overflow the output buffer. Signed-off-by: Sven Eckelmann <sven(a)narfation.org> [sw: fixed sign in buf_data_len for sizeof(*data)] Signed-off-by: Simon Wunderlich <sw(a)simonwunderlich.de> >--------------------------------------------------------------- 39a7d3526aeb06fc992a15634f11512ec0c563ae client.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/client.c b/client.c index 3670f4f..cbc6867 100644 --- a/client.c +++ b/client.c @@ -38,6 +38,7 @@ int alfred_client_request_data(struct globals *globals) struct alfred_tlv *tlv; struct alfred_data *data; int ret, len, data_len, i; + const size_t buf_data_len = sizeof(buf) - sizeof(*push) - sizeof(*data); if (unix_sock_open_client(globals, ALFRED_SOCK_PATH)) return -1; @@ -88,7 +89,7 @@ int alfred_client_request_data(struct globals *globals) data_len = ntohs(data->header.length); /* would it fit? it should! */ - if (data_len > (int)(sizeof(buf) - sizeof(*push))) + if (data_len > (int)buf_data_len) break; /* read the data */

1 0

[alfred] master: alfred: Handle fcntl error return codes (217c8de)
by postmaster＠open-mesh.org 27 May '14

27 May '14

Repository : ssh://git@open-mesh.org/alfred On branch : master >--------------------------------------------------------------- commit 217c8deb9484d1705bf26523b77dba7503d4d131 Author: Sven Eckelmann <sven(a)narfation.org> Date: Sat May 24 13:44:14 2014 +0200 alfred: Handle fcntl error return codes fcntl doesn't return non-error return values when starting a F_GETFL operation. These have to be handled or otherwise a garbage value is given to fcntl for the F_SETFL operation. Signed-off-by: Sven Eckelmann <sven(a)narfation.org> Signed-off-by: Simon Wunderlich <sw(a)simonwunderlich.de> >--------------------------------------------------------------- 217c8deb9484d1705bf26523b77dba7503d4d131 netsock.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/netsock.c b/netsock.c index 8712c11..305983f 100644 --- a/netsock.c +++ b/netsock.c @@ -48,6 +48,7 @@ int netsock_open(struct globals *globals) int sock; struct sockaddr_in6 sin6; struct ifreq ifr; + int ret; globals->netsock = -1; @@ -86,7 +87,18 @@ int netsock_open(struct globals *globals) goto err; } - fcntl(sock, F_SETFL, fcntl(sock, F_GETFL, 0) | O_NONBLOCK); + ret = fcntl(sock, F_GETFL, 0); + if (ret < 0) { + fprintf(stderr, "failed to get file status flags\n"); + goto err; + } + + ret = fcntl(sock, F_SETFL, ret | O_NONBLOCK); + if (ret < 0) { + fprintf(stderr, "failed to set file status flags\n"); + goto err; + } + globals->netsock = sock; return 0;

1 0

[alfred] master: alfred: Use strncpy instead of strcpy for string copy (71dbc00)
by postmaster＠open-mesh.org 27 May '14

27 May '14

Repository : ssh://git@open-mesh.org/alfred On branch : master >--------------------------------------------------------------- commit 71dbc00fd879f1e592b07d8397f724fb3f69ac64 Author: Sven Eckelmann <sven(a)narfation.org> Date: Sat May 24 13:44:12 2014 +0200 alfred: Use strncpy instead of strcpy for string copy The data used in strcpy is partially provided by the user. This can be larger than the destination buffer and thus overwrite data after the actual string buffer. This can easily be avoided by using strncpy. Signed-off-by: Sven Eckelmann <sven(a)narfation.org> Signed-off-by: Simon Wunderlich <sw(a)simonwunderlich.de> >--------------------------------------------------------------- 71dbc00fd879f1e592b07d8397f724fb3f69ac64 debugfs.c | 4 +++- gpsd/alfred-gpsd.c | 18 +++++++++++++++--- unix_sock.c | 6 ++++-- vis/vis.c | 3 ++- 4 files changed, 24 insertions(+), 7 deletions(-) diff --git a/debugfs.c b/debugfs.c index adada7c..4b8801a 100644 --- a/debugfs.c +++ b/debugfs.c @@ -78,7 +78,9 @@ static const char *debugfs_find_mountpoint(void) while (*ptr) { if (debugfs_valid_mountpoint(*ptr) == 0) { debugfs_found = 1; - strcpy(debugfs_mountpoint, *ptr); + strncpy(debugfs_mountpoint, *ptr, + sizeof(debugfs_mountpoint)); + debugfs_mountpoint[sizeof(debugfs_mountpoint) - 1] = 0; return debugfs_mountpoint; } ptr++; diff --git a/gpsd/alfred-gpsd.c b/gpsd/alfred-gpsd.c index 089f2af..84a0ded 100644 --- a/gpsd/alfred-gpsd.c +++ b/gpsd/alfred-gpsd.c @@ -36,7 +36,8 @@ static int alfred_open_sock(struct globals *globals) memset(&addr, 0, sizeof(addr)); addr.sun_family = AF_LOCAL; - strcpy(addr.sun_path, ALFRED_SOCK_PATH); + strncpy(addr.sun_path, ALFRED_SOCK_PATH, sizeof(addr.sun_path)); + addr.sun_path[sizeof(addr.sun_path) - 1] = '\0'; if (connect(globals->unix_sock, (struct sockaddr *)&addr, sizeof(addr)) < 0) { @@ -300,6 +301,10 @@ static void gpsd_read_gpsd(struct globals *globals) size_t cnt; bool eol = false; char buf[4096]; + const size_t tpv_size = sizeof(*globals->buf) - + sizeof(*globals->push) - + sizeof(struct alfred_data) - + sizeof(*globals->gpsd_data); cnt = 0; do { @@ -328,7 +333,9 @@ static void gpsd_read_gpsd(struct globals *globals) #define STARTSWITH(str, prefix) strncmp(str, prefix, sizeof(prefix)-1)==0 if (STARTSWITH(buf, "{\"class\":\"TPV\"")) { - strcpy(globals->gpsd_data->tpv, buf); + strncpy(globals->gpsd_data->tpv, buf, tpv_size); + globals->gpsd_data->tpv[tpv_size - 1] = '\0'; + globals->gpsd_data->tpv_len = htonl(strlen(globals->gpsd_data->tpv) + 1); } @@ -443,6 +450,10 @@ static int gpsd_server(struct globals *globals) int max_fd, ret; const size_t overhead = sizeof(*globals->push) + sizeof(struct alfred_data); + const size_t tpv_size = sizeof(*globals->buf) - + sizeof(*globals->push) - + sizeof(struct alfred_data) - + sizeof(*globals->gpsd_data); long interval; globals->push = (struct alfred_push_data_v0 *) globals->buf; @@ -456,7 +467,8 @@ static int gpsd_server(struct globals *globals) globals->push->data->header.type = GPSD_PACKETTYPE; globals->push->data->header.version = GPSD_PACKETVERSION; - strcpy(globals->gpsd_data->tpv, GPSD_INIT_TPV); + strncpy(globals->gpsd_data->tpv, GPSD_INIT_TPV, tpv_size); + globals->gpsd_data->tpv[tpv_size - 1] = '\0'; globals->gpsd_data->tpv_len = htonl(strlen(globals->gpsd_data->tpv) + 1); diff --git a/unix_sock.c b/unix_sock.c index 8251c81..4553db5 100644 --- a/unix_sock.c +++ b/unix_sock.c @@ -50,7 +50,8 @@ int unix_sock_open_daemon(struct globals *globals, const char *path) memset(&addr, 0, sizeof(addr)); addr.sun_family = AF_LOCAL; - strcpy(addr.sun_path, path); + strncpy(addr.sun_path, path, sizeof(addr.sun_path)); + addr.sun_path[sizeof(addr.sun_path) - 1] = '\0'; if (bind(globals->unix_sock, (struct sockaddr *)&addr, sizeof(addr)) < 0) { @@ -81,7 +82,8 @@ int unix_sock_open_client(struct globals *globals, const char *path) memset(&addr, 0, sizeof(addr)); addr.sun_family = AF_LOCAL; - strcpy(addr.sun_path, path); + strncpy(addr.sun_path, path, sizeof(addr.sun_path)); + addr.sun_path[sizeof(addr.sun_path) - 1] = '\0'; if (connect(globals->unix_sock, (struct sockaddr *)&addr, sizeof(addr)) < 0) { diff --git a/vis/vis.c b/vis/vis.c index 2928d65..f429942 100644 --- a/vis/vis.c +++ b/vis/vis.c @@ -168,7 +168,8 @@ static int alfred_open_sock(struct globals *globals) memset(&addr, 0, sizeof(addr)); addr.sun_family = AF_LOCAL; - strcpy(addr.sun_path, ALFRED_SOCK_PATH); + strncpy(addr.sun_path, ALFRED_SOCK_PATH, sizeof(addr.sun_path)); + addr.sun_path[sizeof(addr.sun_path) - 1] = '\0'; if (connect(globals->unix_sock, (struct sockaddr *)&addr, sizeof(addr)) < 0) {

1 0

[alfred] master: batadv-vis: Avoid invalid access in orig_list (807ce0f)
by postmaster＠open-mesh.org 27 May '14

27 May '14

Repository : ssh://git@open-mesh.org/alfred On branch : master >--------------------------------------------------------------- commit 807ce0f505ea1057dd83234106d288fe8d60d9a4 Author: Sven Eckelmann <sven(a)narfation.org> Date: Sat May 24 13:44:10 2014 +0200 batadv-vis: Avoid invalid access in orig_list The orig list parsing tries to gather information from 4 columns for each line. The second part of the parsing routine should only be started when all columns could be found. Otherwise parts of the variables are uninitialized. Dereferencing iface in such a situation can cause a segfault. Signed-off-by: Sven Eckelmann <sven(a)narfation.org> Signed-off-by: Simon Wunderlich <sw(a)simonwunderlich.de> >--------------------------------------------------------------- 807ce0f505ea1057dd83234106d288fe8d60d9a4 vis/vis.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vis/vis.c b/vis/vis.c index 31f60d7..2928d65 100644 --- a/vis/vis.c +++ b/vis/vis.c @@ -350,7 +350,7 @@ static int parse_orig_list(struct globals *globals) default: break; } } - if (tnum >= 4) { + if (tnum > 4) { if (strcmp(dest, neigh) == 0) { tq_val = strtol(tq, NULL, 10); if (tq_val < 1 || tq_val > 255)

1 0

[alfred] master: alfred: Force null termination of string after strncpy (9f42617)
by postmaster＠open-mesh.org 27 May '14

27 May '14

Repository : ssh://git@open-mesh.org/alfred On branch : master >--------------------------------------------------------------- commit 9f426172712daa5f502743070d4cca3309366dd4 Author: Sven Eckelmann <sven(a)narfation.org> Date: Sat May 24 13:44:07 2014 +0200 alfred: Force null termination of string after strncpy strncpy doesn't terminate the string with a '\0' character when the length of the destination memory location was shorter than the source string. Accessing it again with string related functions isn't safe after such a semi-failed copy and the caller has to handle it. The easiest way is to always set the last character in the destination buffer to '\0' after the strncpy was called. Signed-off-by: Sven Eckelmann <sven(a)narfation.org> Signed-off-by: Simon Wunderlich <sw(a)simonwunderlich.de> >--------------------------------------------------------------- 9f426172712daa5f502743070d4cca3309366dd4 debugfs.c | 1 + netsock.c | 1 + server.c | 1 + vis/vis.c | 1 + 4 files changed, 4 insertions(+) diff --git a/debugfs.c b/debugfs.c index 1e9418d..adada7c 100644 --- a/debugfs.c +++ b/debugfs.c @@ -154,6 +154,7 @@ char *debugfs_mount(const char *mountpoint) /* save the mountpoint */ strncpy(debugfs_mountpoint, mountpoint, sizeof(debugfs_mountpoint)); + debugfs_mountpoint[sizeof(debugfs_mountpoint) - 1] = '\0'; debugfs_found = 1; return debugfs_mountpoint; diff --git a/netsock.c b/netsock.c index 08d2959..8712c11 100644 --- a/netsock.c +++ b/netsock.c @@ -59,6 +59,7 @@ int netsock_open(struct globals *globals) memset(&ifr, 0, sizeof(ifr)); strncpy(ifr.ifr_name, globals->interface, IFNAMSIZ); + ifr.ifr_name[IFNAMSIZ - 1] = '\0'; if (ioctl(sock, SIOCGIFINDEX, &ifr) == -1) { fprintf(stderr, "can't get interface: %s\n", strerror(errno)); goto err; diff --git a/server.c b/server.c index fdd97d4..e4465dc 100644 --- a/server.c +++ b/server.c @@ -242,6 +242,7 @@ static void check_if_socket(struct globals *globals) memset(&ifr, 0, sizeof(ifr)); strncpy(ifr.ifr_name, globals->interface, IFNAMSIZ); + ifr.ifr_name[IFNAMSIZ - 1] = '\0'; if (ioctl(sock, SIOCGIFINDEX, &ifr) == -1) { fprintf(stderr, "can't get interface: %s, closing netsock\n", strerror(errno)); diff --git a/vis/vis.c b/vis/vis.c index b51fede..9031b27 100644 --- a/vis/vis.c +++ b/vis/vis.c @@ -102,6 +102,7 @@ static int get_if_mac(char *ifname, uint8_t *mac) int sock, ret; strncpy(ifr.ifr_name, ifname, IFNAMSIZ); + ifr.ifr_name[IFNAMSIZ - 1] = '\0'; if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) { fprintf(stderr, "can't get interface: %s\n", strerror(errno));

1 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

commits May 2014