MonetDB: Dec2016 - Make sure we don't touch memory that doesn't ...

Tue, 16 May 2017 02:19:18 -0700 

Changeset: 8cb80fc92ece for MonetDB
URL: http://dev.monetdb.org/hg/MonetDB?cmd=changeset;node=8cb80fc92ece
Modified Files:
        tools/merovingian/utils/properties.c
        tools/merovingian/utils/utils.c
        tools/merovingian/utils/utils.h
Branch: Dec2016
Log Message:

Make sure we don't touch memory that doesn't belong to us

The list argument of the function readConfFileFull has been allocated
statically, and now has length of 64. The convention in the existing code is
that the last entry is a sentinel, so in total we can use 63 entries. Make sure
we don't write past the last entry.

This fixes bug 6318


diffs (63 lines):

diff --git a/tools/merovingian/utils/properties.c 
b/tools/merovingian/utils/properties.c
--- a/tools/merovingian/utils/properties.c
+++ b/tools/merovingian/utils/properties.c
@@ -24,7 +24,7 @@
        "# This file is used by monetdbd\n\n"
 
 /* these are the properties used for starting an mserver */
-static confkeyval _internal_prop_keys[50] = {
+static confkeyval _internal_prop_keys[PROPLENGTH] = {
        {"type",     NULL, 0, STR},
        {"shared",   NULL, 0, STR},
        {"nthreads", NULL, 0, INT},
diff --git a/tools/merovingian/utils/utils.c b/tools/merovingian/utils/utils.c
--- a/tools/merovingian/utils/utils.c
+++ b/tools/merovingian/utils/utils.c
@@ -77,10 +77,16 @@ readConfFileFull(confkeyval *list, FILE 
        char *separator = "=";
        char *err;
        confkeyval *t = list;
+       int cnt = 0;
 
        /* iterate until the end of the array */
        while (list->key != NULL) {
+               /* If we already have PROPLENGTH entries, */
+               if (cnt >= PROPLENGTH - 1) {
+                       break;
+               }
                list++;
+               cnt++;
        }
        /* read the file a line at a time */
        while (fgets(buf, sizeof(buf), cnf) != NULL) {
@@ -96,11 +102,18 @@ readConfFileFull(confkeyval *list, FILE 
                                        free(err); /* ignore, just fall back to 
default */
                                }
                        } else {
+                               /* If we already have more than PROPLENGTH 
entries, ignore every
+                                * ad hoc property
+                                */
+                               if (cnt >= PROPLENGTH - 1) {
+                                       continue;
+                               }
                                list->key = strdup(key);
                                list->val = strdup(val);
                                list->ival = 0;
                                list->type = STR;
                                list++;
+                               cnt++;
                        }
                }
        }
diff --git a/tools/merovingian/utils/utils.h b/tools/merovingian/utils/utils.h
--- a/tools/merovingian/utils/utils.h
+++ b/tools/merovingian/utils/utils.h
@@ -12,6 +12,8 @@
 #include <stdio.h>  /* FILE* */
 #include <sys/types.h>   /* time_t */
 
+#define PROPLENGTH 64 /* Max number of properties */
+
 enum valtype {
        INVALID = 0,
        INT,
_______________________________________________
checkin-list mailing list
[email protected]
https://www.monetdb.org/mailman/listinfo/checkin-list

Reply via email to