[patch]diff: xstrdup wrappes strdup(3)
Hi tech@,
as requested by nicm@, xstrdup calls strdup(3) now.
Regards,
--F.
Index: xmalloc.c
===
RCS file: /cvs/src/usr.bin/diff/xmalloc.c,v
retrieving revision 1.6
diff -u -p -r1.6 xmalloc.c
--- xmalloc.c 29 Apr 2015 04:00:25 - 1.6
+++ xmalloc.c 17 Jun 2015 18:13:25 -
@@ -73,12 +73,10 @@ xfree(void *ptr)
char *
xstrdup(const char *str)
{
- size_t len;
char *cp;
-
- len = strlen(str) + 1;
- cp = xmalloc(len);
- strlcpy(cp, str, len);
+
+ if ((cp = strdup(str)) == NULL)
+ err(1, xstrdup);
return cp;
}
Re: [patch]file: xstrdup just wrappes strdup(3)
+ err(1, xstrdup); slight tweak, usually the err output is: err(1, strdup)
[patch]diff: uninitialized values
Hi tech@,
*edp1* and *edp2* could be used uninitialized, if *goto closem;* is called.
Regards,
--F.
Index: diffdir.c
===
RCS file: /cvs/src/usr.bin/diff/diffdir.c,v
retrieving revision 1.43
diff -u -p -r1.43 diffdir.c
--- diffdir.c 16 Jan 2015 06:40:07 - 1.43
+++ diffdir.c 17 Jun 2015 18:50:57 -
@@ -48,8 +48,8 @@ static void diffit(struct dirent *, char
void
diffdir(char *p1, char *p2, int flags)
{
- struct dirent *dent1, **dp1, **edp1, **dirp1 = NULL;
- struct dirent *dent2, **dp2, **edp2, **dirp2 = NULL;
+ struct dirent *dent1, **dp1, **edp1 = NULL, **dirp1 = NULL;
+ struct dirent *dent2, **dp2, **edp2 = NULL, **dirp2 = NULL;
size_t dirlen1, dirlen2;
char path1[PATH_MAX], path2[PATH_MAX];
int pos;
Re: [patch]diff: uninitialized values
On Wed, Jun 17, 2015 at 08:53:57PM +0200, Fritjof Bornebusch wrote:
Hi tech@,
*edp1* and *edp2* could be used uninitialized, if *goto closem;* is called.
Such initializers hiding a false positive, cause the compiler does not
understand this case can never happen.
- warning: 'edp1' may be used uninitialized in this function
- warning: 'edp2' may be used uninitialized in this function
Sorry for beeing not that clear.
Regards,
--F.
Index: diffdir.c
===
RCS file: /cvs/src/usr.bin/diff/diffdir.c,v
retrieving revision 1.43
diff -u -p -r1.43 diffdir.c
--- diffdir.c 16 Jan 2015 06:40:07 - 1.43
+++ diffdir.c 17 Jun 2015 18:50:57 -
@@ -48,8 +48,8 @@ static void diffit(struct dirent *, char
void
diffdir(char *p1, char *p2, int flags)
{
- struct dirent *dent1, **dp1, **edp1, **dirp1 = NULL;
- struct dirent *dent2, **dp2, **edp2, **dirp2 = NULL;
+ struct dirent *dent1, **dp1, **edp1 = NULL, **dirp1 = NULL;
+ struct dirent *dent2, **dp2, **edp2 = NULL, **dirp2 = NULL;
size_t dirlen1, dirlen2;
char path1[PATH_MAX], path2[PATH_MAX];
int pos;
Re: [patch]diff: xstrdup wrappes strdup(3)
Any ok for this, and the same for rcs? (And ssh?)
On Wed, Jun 17, 2015 at 08:42:04PM +0200, Fritjof Bornebusch wrote:
Hi tech@,
as requested by nicm@, xstrdup calls strdup(3) now.
Regards,
--F.
Index: xmalloc.c
===
RCS file: /cvs/src/usr.bin/diff/xmalloc.c,v
retrieving revision 1.6
diff -u -p -r1.6 xmalloc.c
--- xmalloc.c 29 Apr 2015 04:00:25 - 1.6
+++ xmalloc.c 17 Jun 2015 18:13:25 -
@@ -73,12 +73,10 @@ xfree(void *ptr)
char *
xstrdup(const char *str)
{
- size_t len;
char *cp;
-
- len = strlen(str) + 1;
- cp = xmalloc(len);
- strlcpy(cp, str, len);
+
+ if ((cp = strdup(str)) == NULL)
+ err(1, xstrdup);
return cp;
}
[patch]file: xstrdup just wrappes strdup(3)
Hi tech@,
as requested by nicm@, xstrdup calls strdup(3) now.
Regards,
--F.
Index: xmalloc.c
===
RCS file: /cvs/src/usr.bin/file/xmalloc.c,v
retrieving revision 1.1
diff -u -p -r1.1 xmalloc.c
--- xmalloc.c 24 Apr 2015 16:24:11 - 1.1
+++ xmalloc.c 17 Jun 2015 18:18:10 -
@@ -76,13 +76,10 @@ xfree(void *ptr)
char *
xstrdup(const char *str)
{
- size_t len;
char *cp;
- len = strlen(str) + 1;
- cp = xmalloc(len);
- if (strlcpy(cp, str, len) = len)
- errx(1, xstrdup: string truncated);
+ if ((cp = strdup(str)) == NULL)
+ err(1, xstrdup);
return cp;
}
[patch]ssh: xstrdup wrappes strdup(3)
Hi tech@,
as requested by nicm@, xstrdup just wrappes strdup(3).
Regards,
--F.
Index: xmalloc.c
===
RCS file: /cvs/src/usr.bin/ssh/xmalloc.c,v
retrieving revision 1.32
diff -u -p -r1.32 xmalloc.c
--- xmalloc.c 24 Apr 2015 01:36:01 - 1.32
+++ xmalloc.c 17 Jun 2015 18:42:43 -
@@ -13,6 +13,7 @@
* called by a name other than ssh or Secure Shell.
*/
+#include errno.h
#include stdarg.h
#include stdint.h
#include stdio.h
@@ -66,12 +67,10 @@ xreallocarray(void *ptr, size_t nmemb, s
char *
xstrdup(const char *str)
{
- size_t len;
char *cp;
- len = strlen(str) + 1;
- cp = xmalloc(len);
- strlcpy(cp, str, len);
+ if ((cp = strdup(str)) == NULL)
+ fatal(xstrdup: %s, strerror(errno));
return cp;
}
snapshots
Snapshots will be in disarray for the next day or two as I move everything from 5.7 to 5.8-beta.
Chromium package is recording you?
Hi, On Debian lists was been reported a new version of chromium have a closed source module that activate the audio recording without the user concern. Since the chromium package are in ftp and (I think) on CD, should OpenBSD Project remove it? Here is the report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=786909
Re: bridge_output() without m_buf_tag
On 08/06/15(Mon) 15:58, Martin Pieuchot wrote:
Diff below moves bridge_output() to if_output(). It fixes the case I
already described some weeks ago where you have a physical interface
in a bridge and a vlan on top of it which is not in the bridge.
It also change the loop prevention code to use M_PROTO1 like in the
input path.
Tests, comments and oks welcome.
Updated diff to match the recent if_get() change. I've got one positive
report so far, any ok?
Index: net/if.c
===
RCS file: /cvs/src/sys/net/if.c,v
retrieving revision 1.340
diff -u -p -r1.340 if.c
--- net/if.c16 Jun 2015 11:09:39 - 1.340
+++ net/if.c17 Jun 2015 12:01:12 -
@@ -449,6 +449,19 @@ if_output(struct ifnet *ifp, struct mbuf
int s, length, error = 0;
unsigned short mflags;
+#ifdef DIAGNOSTIC
+ if (ifp-if_rdomain != rtable_l2(m-m_pkthdr.ph_rtableid)) {
+ printf(%s: trying to send packet on wrong domain.
+ if %d vs. mbuf %d\n, ifp-if_xname, ifp-if_rdomain,
+ rtable_l2(m-m_pkthdr.ph_rtableid));
+ }
+#endif
+
+#if NBRIDGE 0
+ if (ifp-if_bridgeport (m-m_flags M_PROTO1) == 0)
+ return (bridge_output(ifp, m, NULL, NULL));
+#endif
+
length = m-m_pkthdr.len;
mflags = m-m_flags;
Index: net/if_bridge.c
===
RCS file: /cvs/src/sys/net/if_bridge.c,v
retrieving revision 1.244
diff -u -p -r1.244 if_bridge.c
--- net/if_bridge.c 16 Jun 2015 11:09:39 - 1.244
+++ net/if_bridge.c 17 Jun 2015 12:01:12 -
@@ -2635,10 +2635,12 @@ bridge_ifenqueue(struct bridge_softc *sc
{
int error, len;
+ /* Loop prevention. */
+ m-m_flags |= M_PROTO1;
+
#if NGIF 0
/* Packet needs etherip encapsulation. */
if (ifp-if_type == IFT_GIF) {
- m-m_flags |= M_PROTO1;
/* Count packets input into the gif from outside */
ifp-if_ipackets++;
Index: net/if_ethersubr.c
===
RCS file: /cvs/src/sys/net/if_ethersubr.c,v
retrieving revision 1.205
diff -u -p -r1.205 if_ethersubr.c
--- net/if_ethersubr.c 16 Jun 2015 11:09:39 - 1.205
+++ net/if_ethersubr.c 17 Jun 2015 12:01:12 -
@@ -181,15 +181,6 @@ ether_output(struct ifnet *ifp, struct m
struct arpcom *ac = (struct arpcom *)ifp;
int error = 0;
-#ifdef DIAGNOSTIC
- if (ifp-if_rdomain != rtable_l2(m-m_pkthdr.ph_rtableid)) {
- printf(%s: trying to send packet on wrong domain.
- if %d vs. mbuf %d, AF %d\n, ifp-if_xname,
- ifp-if_rdomain, rtable_l2(m-m_pkthdr.ph_rtableid),
- dst-sa_family);
- }
-#endif
-
esrc = ac-ac_enaddr;
if ((ifp-if_flags (IFF_UP|IFF_RUNNING)) != (IFF_UP|IFF_RUNNING))
@@ -276,47 +267,6 @@ ether_output(struct ifnet *ifp, struct m
eh-ether_type = etype;
memcpy(eh-ether_dhost, edst, sizeof(eh-ether_dhost));
memcpy(eh-ether_shost, esrc, sizeof(eh-ether_shost));
-
-#if NBRIDGE 0
- /*
-* Interfaces that are bridgeports need special handling for output.
-*/
- if (ifp-if_bridgeport) {
- struct m_tag *mtag;
-
- /*
-* Check if this packet has already been sent out through
-* this bridgeport, in which case we simply send it out
-* without further bridge processing.
-*/
- for (mtag = m_tag_find(m, PACKET_TAG_BRIDGE, NULL); mtag;
- mtag = m_tag_find(m, PACKET_TAG_BRIDGE, mtag)) {
-#ifdef DEBUG
- /* Check that the information is there */
- if (mtag-m_tag_len != sizeof(caddr_t)) {
- error = EINVAL;
- goto bad;
- }
-#endif
- if (!memcmp(ifp-if_bridgeport, mtag + 1,
- sizeof(caddr_t)))
- break;
- }
- if (mtag == NULL) {
- /* Attach a tag so we can detect loops */
- mtag = m_tag_get(PACKET_TAG_BRIDGE, sizeof(caddr_t),
- M_NOWAIT);
- if (mtag == NULL) {
- error = ENOBUFS;
- goto bad;
- }
- memcpy(mtag + 1, ifp-if_bridgeport, sizeof(caddr_t));
- m_tag_prepend(m, mtag);
- error = bridge_output(ifp, m, NULL, NULL);
- return (error);
- }
- }
-#endif
return (if_output(ifp, m));
bad:
Index: sys/mbuf.h
===
RCS file:
Re: Conver bridge(4) to if_input()
On 08/06/15(Mon) 16:11, Martin Pieuchot wrote:
This is the last pseudo-driver conversion.
The idea is to run bridge_input() *before* any ifih on an interface.
Doing so allow us to remove the hack between vlan(4) and bridge(4)
and simplify the logic for stacked ifih.
With that net/if_ethersubr.c is now free from #ifdef NPSEUDODRIVER.
As usual, tests comments and oks welcome.
Updated diff to match recent if_get() change, as for the other bridge
diff I've got one positive test report.
Any ok?
Index: net/if.c
===
RCS file: /cvs/src/sys/net/if.c,v
retrieving revision 1.340
diff -u -p -r1.340 if.c
--- net/if.c16 Jun 2015 11:09:39 - 1.340
+++ net/if.c17 Jun 2015 12:03:36 -
@@ -530,6 +530,15 @@ if_input_process(void *xmq)
continue;
}
+#if NBRIDGE 0
+ if (ifp-if_bridgeport (m-m_flags M_PROTO1) == 0) {
+ m = bridge_input(m);
+ if (m == NULL)
+ continue;
+ }
+ m-m_flags = ~M_PROTO1;/* Loop prevention */
+#endif
+
/*
* Pass this mbuf to all input handlers of its
* interface until it is consumed.
Index: net/if_bridge.c
===
RCS file: /cvs/src/sys/net/if_bridge.c,v
retrieving revision 1.244
diff -u -p -r1.244 if_bridge.c
--- net/if_bridge.c 16 Jun 2015 11:09:39 - 1.244
+++ net/if_bridge.c 17 Jun 2015 12:03:36 -
@@ -116,8 +116,6 @@ voidbridge_broadcast(struct bridge_soft
void bridge_localbroadcast(struct bridge_softc *, struct ifnet *,
struct ether_header *, struct mbuf *);
void bridge_span(struct bridge_softc *, struct mbuf *);
-struct mbuf *bridge_dispatch(struct bridge_iflist *, struct ifnet *,
-struct mbuf *);
void bridge_stop(struct bridge_softc *);
void bridge_init(struct bridge_softc *);
intbridge_bifconf(struct bridge_softc *, struct ifbifconf *);
@@ -1198,7 +1196,7 @@ bridgeintr_frame(struct bridge_softc *sc
* If packet is unicast, destined for someone on this
* side of the bridge, drop it.
*/
- if ((m-m_flags (M_BCAST | M_MCAST)) == 0) {
+ if (!ETHER_IS_MULTICAST(eh.ether_dhost)) {
if ((dst_p = bridge_rtlookup(sc, dst)) != NULL)
dst_if = dst_p-brt_if;
else
@@ -1207,8 +1205,14 @@ bridgeintr_frame(struct bridge_softc *sc
m_freem(m);
return;
}
- } else
+ } else {
+ if (memcmp(etherbroadcastaddr, eh.ether_dhost,
+ sizeof(etherbroadcastaddr)) == 0)
+ m-m_flags |= M_BCAST;
+ else
+ m-m_flags |= M_MCAST;
dst_if = NULL;
+ }
/*
* Multicast packets get handled a little differently:
@@ -1302,37 +1306,31 @@ bridgeintr_frame(struct bridge_softc *sc
* not for us, and schedule an interrupt.
*/
struct mbuf *
-bridge_input(struct ifnet *ifp, struct ether_header *eh0, struct mbuf *m)
+bridge_input(struct mbuf *m)
{
+ struct ifnet *ifp;
struct bridge_softc *sc;
struct bridge_iflist *ifl;
+ struct bridge_iflist *srcifl;
struct ether_header *eh;
-#if NVLAN 0
- uint16_t etype = ntohs(eh0-ether_type);
-#endif /* NVLAN 0 */
+ struct arpcom *ac;
+ struct mbuf_list ml = MBUF_LIST_INITIALIZER();
+ struct mbuf *mc;
+ int s;
- /*
-* Make sure this interface is a bridge member.
-*/
- if (ifp == NULL || ifp-if_bridgeport == NULL || m == NULL)
+ ifp = if_get(m-m_pkthdr.ph_ifidx);
+ KASSERT(ifp != NULL);
+ if (((ifp-if_flags IFF_UP) == 0) || (ifp-if_bridgeport == NULL))
return (m);
if ((m-m_flags M_PKTHDR) == 0)
panic(bridge_input(): no HDR);
- m-m_flags = ~M_PROTO1;/* Loop prevention */
-
ifl = (struct bridge_iflist *)ifp-if_bridgeport;
sc = ifl-bridge_sc;
if ((sc-sc_if.if_flags IFF_RUNNING) == 0)
return (m);
- M_PREPEND(m, sizeof(*eh), M_DONTWAIT);
- if (m == NULL)
- return (NULL);
- eh = mtod(m, struct ether_header *);
- memmove(eh, eh0, sizeof(*eh));
-
#if NBPFILTER 0
if (sc-sc_if.if_bpf)
bpf_mtap_ether(sc-sc_if.if_bpf, m, BPF_DIRECTION_IN);
@@ -1340,35 +1338,8 @@ bridge_input(struct ifnet *ifp, struct e
bridge_span(sc, m);
- m = bridge_dispatch(ifl, ifp, m);
-
-#if NVLAN 0
- if ((m != NULL) ((m-m_flags M_VLANTAG) ||
- etype == ETHERTYPE_VLAN || etype == ETHERTYPE_QINQ)) {
- /* The bridge did not want the vlan frame either, drop it. */
- ifp-if_noproto++;
-
Re: [patch]rcs: xstrdup just wrappes strdup
On Mon, Jun 15, 2015 at 10:22:27AM +0100, Nicholas Marriott wrote:
What about diff and ssh and file? They all use the a copy of the same
xmalloc.c.
Personally, I would recommend that xstrdup just calls strdup(3), as
Theo said: it's 100.00% portable.
But I don't think I'm the right person who should answer that question. ;)
Regards,
--F.
On Mon, Jun 15, 2015 at 10:00:01AM +0200, Fritjof Bornebusch wrote:
Hi,
thanks for the hint.
This one should do the trick.
Index: xmalloc.c
===
RCS file: /cvs/src/usr.bin/rcs/xmalloc.c,v
retrieving revision 1.9
diff -u -p -r1.9 xmalloc.c
--- xmalloc.c 13 Jun 2015 20:15:21 - 1.9
+++ xmalloc.c 15 Jun 2015 07:52:15 -
@@ -68,13 +68,10 @@ xreallocarray(void *ptr, size_t nmemb, s
char *
xstrdup(const char *str)
{
- size_t len;
char *cp;
-
- len = strlen(str) + 1;
- cp = xmalloc(len);
- if (strlcpy(cp, str, len) = len)
- errx(1, xstrdup: string truncated);
+
+ if ((cp = strdup(str)) == NULL)
+ err(1, xstrdup);
return cp;
}
bridge(4) local broadcast fix
It makes sense to not retransmit a packet on the interface it was
received from but we should still call bridge_localbroadcast() on
this interface otherwise the network stack never see this packet.
This fix the configuration where you have a vlan(4) on top of an
interface in a bridge(4) and the vlan(4) is not in the bridge(4).
ok?
Index: net/if_bridge.c
===
RCS file: /cvs/src/sys/net/if_bridge.c,v
retrieving revision 1.244
diff -u -p -r1.244 if_bridge.c
--- net/if_bridge.c 16 Jun 2015 11:09:39 - 1.244
+++ net/if_bridge.c 17 Jun 2015 12:05:05 -
@@ -1500,12 +1500,9 @@ bridge_broadcast(struct bridge_softc *sc
int len, used = 0;
TAILQ_FOREACH(p, sc-sc_iflist, next) {
- /*
-* Don't retransmit out of the same interface where
-* the packet was received from.
-*/
dst_if = p-ifp;
- if (dst_if-if_index == ifp-if_index)
+
+ if ((dst_if-if_flags IFF_RUNNING) == 0)
continue;
if ((p-bif_flags IFBIF_STP)
@@ -1516,15 +1513,6 @@ bridge_broadcast(struct bridge_softc *sc
(m-m_flags (M_BCAST | M_MCAST)) == 0)
continue;
- if ((dst_if-if_flags IFF_RUNNING) == 0)
- continue;
-
- if (IF_QFULL(dst_if-if_snd)) {
- IF_DROP(dst_if-if_snd);
- sc-sc_if.if_oerrors++;
- continue;
- }
-
/* Drop non-IP frames if the appropriate flag is set. */
if (p-bif_flags IFBIF_BLOCKNONIP
bridge_blocknonip(eh, m))
@@ -1534,6 +1522,19 @@ bridge_broadcast(struct bridge_softc *sc
continue;
bridge_localbroadcast(sc, dst_if, eh, m);
+
+ /*
+* Don't retransmit out of the same interface where
+* the packet was received from.
+*/
+ if (dst_if-if_index == ifp-if_index)
+ continue;
+
+ if (IF_QFULL(dst_if-if_snd)) {
+ IF_DROP(dst_if-if_snd);
+ sc-sc_if.if_oerrors++;
+ continue;
+ }
/* If last one, reuse the passed-in mbuf */
if (TAILQ_NEXT(p, next) == NULL) {
Re: [patch]rcs: no null check before free(3)
Fixed, thanks On Wed, Jun 17, 2015 at 09:51:38AM +0200, Fritjof Bornebusch wrote: Hi tech@, just saw I missed removing the null check before calling free(3), sorry. Regards, --F. Index: ci.c === RCS file: /cvs/src/usr.bin/rcs/ci.c,v retrieving revision 1.220 diff -u -p -r1.220 ci.c --- ci.c 13 Jun 2015 20:15:21 - 1.220 +++ ci.c 17 Jun 2015 07:47:09 - @@ -210,8 +210,7 @@ checkin_main(int argc, char **argv) printf(%s\n, rcs_version); exit(0); case 'w': - if (pb.author != NULL) - free(pb.author); + free(pb.author); pb.author = xstrdup(rcs_optarg); break; case 'x':
[patch]rcs: no null check before free(3)
Hi tech@, just saw I missed removing the null check before calling free(3), sorry. Regards, --F. Index: ci.c === RCS file: /cvs/src/usr.bin/rcs/ci.c,v retrieving revision 1.220 diff -u -p -r1.220 ci.c --- ci.c13 Jun 2015 20:15:21 - 1.220 +++ ci.c17 Jun 2015 07:47:09 - @@ -210,8 +210,7 @@ checkin_main(int argc, char **argv) printf(%s\n, rcs_version); exit(0); case 'w': - if (pb.author != NULL) - free(pb.author); + free(pb.author); pb.author = xstrdup(rcs_optarg); break; case 'x':
Re: Bug in uvm_pmr_get1page()?
On Tue, Jun 16, 2015 at 23:57 +0200, Mark Kettenis wrote:
You're definitely on to something. It certainly looks like your diff
fixes the bug. However, if there is no constraint, it would make
sense to pick a page from the size tree of the right type. Not sure
if that optimization would really matter though.
How about the following patch? It adds an opportunistic size tree check
before the address tree search. If there are no constraints, the
opportunistically checked entry will be selected directly.
The updated patch does not seem to have any clear impact on
performance, at least when there is no heavy memory contention. In my
cursory tests, kernel build times were effectively the same on an amd64
with and without the fix. The octeon fared similarly.
Index: uvm/uvm_pmemrange.c
===
RCS file: src/sys/uvm/uvm_pmemrange.c,v
retrieving revision 1.44
diff -u -p -r1.44 uvm_pmemrange.c
--- uvm/uvm_pmemrange.c 13 Nov 2014 00:47:44 - 1.44
+++ uvm/uvm_pmemrange.c 17 Jun 2015 07:12:14 -
@@ -1708,11 +1708,35 @@ uvm_pmr_get1page(psize_t count, int memt
found = TAILQ_NEXT(found, pageq);
if (found == NULL) {
- found = RB_ROOT(pmr-size[memtype]);
- /* Size tree gives pg[1] instead of pg[0] */
+ /*
+* Check if the size tree contains a range
+* that intersects with the boundaries. As the
+* allocation is for any page, try the smallest
+* range so that large ranges are preserved for
+* more constrained cases. Only one entry is
+* checked here, to avoid a brute-force search.
+*
+* Note that a size tree gives pg[1] instead of
+* pg[0].
+*/
+ found = RB_MIN(uvm_pmr_size,
+ pmr-size[memtype]);
if (found != NULL) {
found--;
-
+ if (!PMR_INTERSECTS_WITH(
+ atop(VM_PAGE_TO_PHYS(found)),
+ atop(VM_PAGE_TO_PHYS(found)) +
+ found-fpgsz, start, end))
+ found = NULL;
+ }
+ }
+ if (found == NULL) {
+ /*
+* Try address-guided search to meet the page
+* number constraints.
+*/
+ found = RB_ROOT(pmr-addr);
+ if (found != NULL) {
found = uvm_pmr_rootupdate(pmr, found,
start, end, memtype);
}
[patch] nm segfault
Hi,
I would like to report a SEGFAULT in nm(1) that occurs with object-file
with no section headers (e_shnum = 0). This object-file was generated by
eg++ (I am not sure if the object-file is valid or not).
I am also able to reproduce the problem with edited elf object (using
hte [editors/ht]) by manually setting the section header count to zero.
$ readelf -h obj/cciVHsvd-2.o
ELF Header:
Magic: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
Class: ELF64
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI:UNIX - System V
ABI Version: 0
Type: REL (Relocatable file)
Machine: Advanced Micro Devices X86-64
Version: 0x1
Entry point address: 0x0
Start of program headers: 0 (bytes into file)
Start of section headers: 8932544 (bytes into file)
Flags: 0x0
Size of this header: 64 (bytes)
Size of program headers: 0 (bytes)
Number of program headers: 0
Size of section headers: 64 (bytes)
Number of section headers: 0 (73122)
Section header string table index: 65535 (73374)
$ gdb -q -args ./obj/nm -n obj/cciVHsvd-2.o
(gdb) r
Starting program: /usr/obj/usr.bin/nm/nm -n obj/cciVHsvd-2.o
Program received signal SIGSEGV, Segmentation fault.
0x19a9f830728e in elf64_symload (name=0x7f7efe82 obj/cciVHsvd-2.o,
fp=0x19aca16c7180, foff=0, eh=0x7f7efbb0,
shdr=0x19aca4026720, pnames=0x7f7efb38, psnames=0x7f7efb30,
pstabsize=0x7f7efb28, pnrawnames=0x7f7efb70) at elf64.c:529
529 shstrsize = shdr[eh-e_shstrndx].sh_size;
(gdb) bt
#0 0x19a9f830728e in elf64_symload (name=0x7f7efe82
obj/cciVHsvd-2.o, fp=0x19aca16c7180, foff=0, eh=0x7f7efbb0,
shdr=0x19aca4026720, pnames=0x7f7efb38, psnames=0x7f7efb30,
pstabsize=0x7f7efb28, pnrawnames=0x7f7efb70) at elf64.c:529
#1 0x19a9f83037ca in show_file (count=1, warn_fmt=1, name=0x7f7efe82
obj/cciVHsvd-2.o, fp=0x19aca16c7180, foff=0,
head=0x7f7efbb0) at /usr/src/usr.bin/nm/nm.c:636
#2 0x19a9f8302548 in process_file (count=1, fname=0x7f7efe82
obj/cciVHsvd-2.o) at /usr/src/usr.bin/nm/nm.c:267
#3 0x19a9f83022e3 in main (argc=1, argv=0x7f7efcd8) at
/usr/src/usr.bin/nm/nm.c:208
(gdb) print eh
$1 = (Elf64_Ehdr *) 0x7f7efbb0
(gdb) print *eh
$2 = {e_ident = \177ELF\002\001\001\000\000\000\000\000\000\000\000, e_type =
1, e_machine = 62, e_version = 1, e_entry = 0, e_phoff = 0,
e_shoff = 8932544, e_flags = 0, e_ehsize = 64, e_phentsize = 0, e_phnum = 0,
e_shentsize = 64, e_shnum = 0, e_shstrndx = 65535}
(gdb) print shdr
$3 = (Elf64_Shdr *) 0x19aca4026720
(gdb) print *shdr
Cannot access memory at address 0x19aca4026720
(gdb) quit
The segfault is caused by shdr[eh-e_shstrndx] (src/usr.bin/nm/elf.c:528).
shdr is allocated by elf_load_shdrs() (elf.c:152):
if ((shdr = calloc(head-e_shentsize, head-e_shnum)) == NULL) {
warn(%s: malloc shdr, name);
return (NULL);
}
Here, the object-file has e_shnum=0 (no section header table), so shdr
is an zero sized object.
The patch adds two check:
- e_shnum == 0: no section header table
- a consistency check (should prevent craft object-file to generate
out-of-bound read).
Maybe a check for overflow would be needed too ?
--
Sébastien Marie
Index: elf.c
===
RCS file: /cvs/src/usr.bin/nm/elf.c,v
retrieving revision 1.28
diff -u -p -r1.28 elf.c
--- elf.c 17 May 2015 20:19:08 - 1.28
+++ elf.c 17 Jun 2015 12:05:25 -
@@ -149,6 +149,16 @@ elf_load_shdrs(const char *name, FILE *f
elf_fix_header(head);
+ if (head-e_shnum == 0) {
+ warnx(%s: no section header table, name);
+ return (NULL);
+ }
+
+ if (head-e_shstrndx = head-e_shentsize * head-e_shnum) {
+ warnx(%s: inconsistent section header table, name);
+ return (NULL);
+ }
+
if ((shdr = calloc(head-e_shentsize, head-e_shnum)) == NULL) {
warn(%s: malloc shdr, name);
return (NULL);
Re: [patch] nm segfault
On Wed, Jun 17, 2015 at 02:43:41PM +0200, Sébastien Marie wrote:
Hi,
I would like to report a SEGFAULT in nm(1) that occurs with object-file
with no section headers (e_shnum = 0).
Index: elf.c
===
RCS file: /cvs/src/usr.bin/nm/elf.c,v
retrieving revision 1.28
diff -u -p -r1.28 elf.c
--- elf.c 17 May 2015 20:19:08 - 1.28
+++ elf.c 17 Jun 2015 12:05:25 -
@@ -149,6 +149,16 @@ elf_load_shdrs(const char *name, FILE *f
elf_fix_header(head);
+ if (head-e_shnum == 0) {
+ warnx(%s: no section header table, name);
+ return (NULL);
+ }
+
+ if (head-e_shstrndx = head-e_shentsize * head-e_shnum) {
+ warnx(%s: inconsistent section header table, name);
+ return (NULL);
+ }
wrong here: the check should be (head-e_shstrndx = head-e_shnum)
corrected patch below.
if ((shdr = calloc(head-e_shentsize, head-e_shnum)) == NULL) {
warn(%s: malloc shdr, name);
return (NULL);
--
Sébastien Marie
Index: elf.c
===
RCS file: /cvs/src/usr.bin/nm/elf.c,v
retrieving revision 1.28
diff -u -p -r1.28 elf.c
--- elf.c 17 May 2015 20:19:08 - 1.28
+++ elf.c 17 Jun 2015 15:07:19 -
@@ -149,6 +149,16 @@ elf_load_shdrs(const char *name, FILE *f
elf_fix_header(head);
+ if (head-e_shnum == 0) {
+ warnx(%s: no section header table, name);
+ return (NULL);
+ }
+
+ if (head-e_shstrndx = head-e_shnum) {
+ warnx(%s: inconsistent section header table, name);
+ return (NULL);
+ }
+
if ((shdr = calloc(head-e_shentsize, head-e_shnum)) == NULL) {
warn(%s: malloc shdr, name);
return (NULL);
[patch] nm: read after bound
Hi,
This patch corrects a read after bound that occurs in strcmp (line just
after the added bound check).
Found with afl.
--
Sébastien Marie
Index: elf.c
===
RCS file: /cvs/src/usr.bin/nm/elf.c,v
retrieving revision 1.28
diff -u -p -r1.28 elf.c
--- elf.c 17 May 2015 20:19:08 - 1.28
+++ elf.c 17 Jun 2015 15:18:03 -
@@ -441,7 +451,7 @@ elf_size(Elf_Ehdr *head, Elf_Shdr *shdr,
int
elf_symloadx(const char *name, FILE *fp, off_t foff, Elf_Ehdr *eh,
-Elf_Shdr *shdr, char *shstr, struct nlist **pnames,
+Elf_Shdr *shdr, char *shstr, long shstrsize, struct nlist **pnames,
struct nlist ***psnames, size_t *pstabsize, int *pnrawnames,
const char *strtab, const char *symtab)
{
@@ -451,6 +461,10 @@ elf_symloadx(const char *name, FILE *fp,
int i;
for (i = 0; i eh-e_shnum; i++) {
+ if (shdr[i].sh_name = shstrsize) {
+ warnx(%s: corrupt file, name);
+ return (1);
+ }
if (!strcmp(shstr + shdr[i].sh_name, strtab)) {
*pstabsize = shdr[i].sh_size;
if (*pstabsize SIZE_MAX) {
@@ -551,11 +565,11 @@ elf_symload(const char *name, FILE *fp,
stab = NULL;
*pnames = NULL; *psnames = NULL; *pnrawnames = 0;
if (!dynamic_only) {
- elf_symloadx(name, fp, foff, eh, shdr, shstr, pnames,
+ elf_symloadx(name, fp, foff, eh, shdr, shstr, shstrsize, pnames,
psnames, pstabsize, pnrawnames, ELF_STRTAB, ELF_SYMTAB);
}
if (stab == NULL) {
- elf_symloadx(name, fp, foff, eh, shdr, shstr, pnames,
+ elf_symloadx(name, fp, foff, eh, shdr, shstr, shstrsize, pnames,
psnames, pstabsize, pnrawnames, ELF_DYNSTR, ELF_DYNSYM);
}
Index: elfuncs.h
===
RCS file: /cvs/src/usr.bin/nm/elfuncs.h,v
retrieving revision 1.3
diff -u -p -r1.3 elfuncs.h
--- elfuncs.h 30 Sep 2006 14:34:13 - 1.3
+++ elfuncs.h 17 Jun 2015 15:18:03 -
@@ -36,7 +36,7 @@ int elf32_fix_phdrs(Elf32_Ehdr *eh, Elf3
intelf32_fix_sym(Elf32_Ehdr *eh, Elf32_Sym *sym);
intelf32_size(Elf32_Ehdr *, Elf32_Shdr *, u_long *, u_long *, u_long *);
intelf32_symloadx(const char *, FILE *, off_t, Elf32_Ehdr *, Elf32_Shdr *,
- char *, struct nlist **, struct nlist ***, size_t *, int *,
+ char *, long, struct nlist **, struct nlist ***, size_t *, int *,
const char *, const char *);
intelf32_symload(const char *, FILE *, off_t, Elf32_Ehdr *, Elf32_Shdr *,
struct nlist **, struct nlist ***, size_t *, int *);
@@ -49,7 +49,7 @@ int elf64_fix_phdrs(Elf64_Ehdr *eh, Elf6
intelf64_fix_sym(Elf64_Ehdr *eh, Elf64_Sym *sym);
intelf64_size(Elf64_Ehdr *, Elf64_Shdr *, u_long *, u_long *, u_long *);
intelf64_symloadx(const char *, FILE *, off_t, Elf64_Ehdr *, Elf64_Shdr *,
- char *, struct nlist **, struct nlist ***, size_t *, int *,
+ char *, long, struct nlist **, struct nlist ***, size_t *, int *,
const char *, const char *);
intelf64_symload(const char *, FILE *, off_t, Elf64_Ehdr *, Elf64_Shdr *,
struct nlist **, struct nlist ***, size_t *, int *);
Re: [patch]rcs: xstrdup just wrappes strdup
On Wed, Jun 17, 2015 at 01:25:07PM +0200, Fritjof Bornebusch wrote:
On Mon, Jun 15, 2015 at 10:22:27AM +0100, Nicholas Marriott wrote:
What about diff and ssh and file? They all use the a copy of the same
xmalloc.c.
Personally, I would recommend that xstrdup just calls strdup(3), as
Theo said: it's 100.00% portable.
Right, that's fine, I meant are you going to change the others?
But I don't think I'm the right person who should answer that question. ;)
Regards,
--F.
On Mon, Jun 15, 2015 at 10:00:01AM +0200, Fritjof Bornebusch wrote:
Hi,
thanks for the hint.
This one should do the trick.
Index: xmalloc.c
===
RCS file: /cvs/src/usr.bin/rcs/xmalloc.c,v
retrieving revision 1.9
diff -u -p -r1.9 xmalloc.c
--- xmalloc.c 13 Jun 2015 20:15:21 - 1.9
+++ xmalloc.c 15 Jun 2015 07:52:15 -
@@ -68,13 +68,10 @@ xreallocarray(void *ptr, size_t nmemb, s
char *
xstrdup(const char *str)
{
- size_t len;
char *cp;
-
- len = strlen(str) + 1;
- cp = xmalloc(len);
- if (strlcpy(cp, str, len) = len)
- errx(1, xstrdup: string truncated);
+
+ if ((cp = strdup(str)) == NULL)
+ err(1, xstrdup);
return cp;
}
