Hi,
when compiled with "-D_FORTIFY_SOURCE=2", slpd fails with $SUBJ.
There's been already discussion about it in the past (and it
also includes a reproducer), but the problem is still present
in openslp-2.0.0:
https://www.mail-archive.com/openslp-devel@lists.sourceforge.net/msg00260.html
With "-D_FORTIFY_SOURCE=2" compile-time protection against static
sized buffer overflows is enabled. The compiler knows that the
destination buffer "char storage[2]" pointed by "operator"
variable is just two bytes long.
An error is raised when strncpy tries to write there more (although
there's intentionally allocated memory after the destination buffer
which can hold the whole source string).
"-D_FORTIFY_SOURCE=2" is used nowadays quite commonly across various
Linux distributions, so it's worth of fixing it upstream.
Proposed patch attached.
Best regards,
Vitezslav Crhonek
--- slpd_predicate.c.orig 2012-12-11 00:31:53.000000000 +0100
+++ slpd_predicate.c 2015-01-19 15:14:40.450363448 +0100
@@ -1425,6 +1425,8 @@
break;
}
pNextNode = pNode->next;
+ xfree(pNode->nodeBody.comparison.tag_str);
+ xfree(pNode->nodeBody.comparison.value_str);
xfree(pNode);
pNode = pNextNode;
}
@@ -1643,26 +1645,28 @@
rhs = val_start;
/***** Create leaf node. *****/
- *ppNode = (SLPDPredicateTreeNode *)xmalloc(sizeof (SLPDPredicateTreeNode) + lhs_len + rhs_len);
+ *ppNode = (SLPDPredicateTreeNode *)xmalloc(sizeof (SLPDPredicateTreeNode));
if (!(*ppNode))
return PREDICATE_PARSE_INTERNAL_ERROR;
+ (*ppNode)->nodeBody.comparison.tag_str = (char *)xmalloc((lhs_len+1) * sizeof(char));
+ if (!((*ppNode)->nodeBody.comparison.tag_str))
+ return PREDICATE_PARSE_INTERNAL_ERROR;
+
+ (*ppNode)->nodeBody.comparison.value_str = (char *)xmalloc((rhs_len+1) * sizeof(char));
+ if (!((*ppNode)->nodeBody.comparison.value_str))
+ return PREDICATE_PARSE_INTERNAL_ERROR;
+
(*ppNode)->nodeType = op;
(*ppNode)->next = (SLPDPredicateTreeNode *)0;
- /* Finished with "operator" now - just use as temporary pointer to assist with copying the
- * attribute name (lhs) and required value (rhs) into the node
- */
- operator = (*ppNode)->nodeBody.comparison.storage;
- strncpy(operator, lhs, lhs_len);
- operator[lhs_len] = '\0';
(*ppNode)->nodeBody.comparison.tag_len = lhs_len;
- (*ppNode)->nodeBody.comparison.tag_str = operator;
- operator += lhs_len + 1;
- strncpy(operator, rhs, rhs_len);
- operator[rhs_len] = '\0';
+ strncpy((*ppNode)->nodeBody.comparison.tag_str, lhs, lhs_len);
+ (*ppNode)->nodeBody.comparison.tag_str[lhs_len] = '\0';
+
(*ppNode)->nodeBody.comparison.value_len = rhs_len;
- (*ppNode)->nodeBody.comparison.value_str = operator;
+ strncpy((*ppNode)->nodeBody.comparison.value_str, rhs, rhs_len);
+ (*ppNode)->nodeBody.comparison.value_str[rhs_len] = '\0';
return PREDICATE_PARSE_OK;
}
------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
Openslp-devel mailing list
Openslp-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openslp-devel
