svn commit: r359762 - in stable: 11/usr.sbin/config 12/usr.sbin/config

[Kyle Evans]

Author: kevans
Date: Fri Apr 10 00:25:14 2020
New Revision: 359762
URL: https://svnweb.freebsd.org/changeset/base/359762

Log:
  MFC r359689: config(8): "fix" a couple of buffer overflows
  
  Recently added/changed lines in various kernel configs have caused some
  buffer overflows that went undetected. These were detected with a config
  built using -fno-common as these line buffers smashed one of our arrays,
  then further triaged with ASAN.
  
  Double the sizes; this is really not a great fix, but addresses the
  immediate need until someone rewrites config. While here, add some bounds
  checking so that we don't need to detect this by random bus errors or other
  weird failures.

Modified:
  stable/11/usr.sbin/config/main.c
Directory Properties:
  stable/11/   (props changed)

Changes in other areas also in this revision:
Modified:
  stable/12/usr.sbin/config/main.c
Directory Properties:
  stable/12/   (props changed)

Modified: stable/11/usr.sbin/config/main.c
==============================================================================
--- stable/11/usr.sbin/config/main.c    Fri Apr 10 00:23:34 2020        
(r359761)
+++ stable/11/usr.sbin/config/main.c    Fri Apr 10 00:25:14 2020        
(r359762)
@@ -311,7 +311,7 @@ usage(void)
 char *
 get_word(FILE *fp)
 {
-       static char line[80];
+       static char line[160];
        int ch;
        char *cp;
        int escaped_nl = 0;
@@ -341,11 +341,17 @@ begin:
                *cp = 0;
                return (line);
        }
-       while ((ch = getc(fp)) != EOF) {
+       while ((ch = getc(fp)) != EOF && cp < line + sizeof(line)) {
                if (isspace(ch))
                        break;
                *cp++ = ch;
        }
+       if (cp >= line + sizeof(line)) {
+               line[sizeof(line) - 1] = '\0';
+               fprintf(stderr, "config: attempted overflow, partial line: 
`%s'",
+                   line);
+               exit(2);
+       }
        *cp = 0;
        if (ch == EOF)
                return ((char *)EOF);
@@ -361,7 +367,7 @@ begin:
 char *
 get_quoted_word(FILE *fp)
 {
-       static char line[256];
+       static char line[512];
        int ch;
        char *cp;
        int escaped_nl = 0;
@@ -404,15 +410,29 @@ begin:
                        }
                        if (ch != quote && escaped_nl)
                                *cp++ = '\\';
+                       if (cp >= line + sizeof(line)) {
+                               line[sizeof(line) - 1] = '\0';
+                               printf(
+                                   "config: line buffer overflow reading 
partial line `%s'\n",
+                                   line);
+                               exit(2);
+                       }
                        *cp++ = ch;
                        escaped_nl = 0;
                }
        } else {
                *cp++ = ch;
-               while ((ch = getc(fp)) != EOF) {
+               while ((ch = getc(fp)) != EOF && cp < line + sizeof(line)) {
                        if (isspace(ch))
                                break;
                        *cp++ = ch;
+               }
+               if (cp >= line + sizeof(line)) {
+                       line[sizeof(line) - 1] = '\0';
+                       printf(
+                           "config: line buffer overflow reading partial line 
`%s'\n",
+                           line);
+                       exit(2);
                }
                if (ch != EOF)
                        (void) ungetc(ch, fp);
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"