xfnw/plan9fox
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

fix endless devwalk loops caused by genbuf truncation

Browse source
This commit is contained in:
cinap_lenrek 2012-02-08 00:00:42 +01:00
parent d970ed6a5a
commit 022fd02b96
3 changed files with 38 additions and 24 deletions
Download patch file Download diff file Expand all files Collapse all files

5
sys/src/9/port/devenv.c
View file

@ -48,7 +48,7 @@ envgen(Chan *c, char *name, Dirtab*, int, int s, Dir *dp)
else if(s < eg->nent) else if(s < eg->nent)
e = eg->ent[s]; e = eg->ent[s];
if(e == 0) { if(e == 0 || (strlen(e->name) >= sizeof(up->genbuf))) {
runlock(eg); runlock(eg);
return -1; return -1;
} }
@ -147,6 +147,9 @@ envcreate(Chan *c, char *name, int omode, ulong)
if(c->qid.type != QTDIR) if(c->qid.type != QTDIR)
error(Eperm); error(Eperm);
if(strlen(name) >= sizeof(up->genbuf))
error(Egreg);
omode = openmode(omode); omode = openmode(omode);
eg = envgrp(c); eg = envgrp(c);

18
sys/src/9/port/devshr.c
View file

@ -298,13 +298,13 @@ shrgen(Chan *c, char*, Dirtab*, int, int s, Dir *dp)
sch = tosch(c); sch = tosch(c);
switch(sch->level){ switch(sch->level){
default: default:
error(Egreg); return -1;
case Qroot: case Qroot:
case Qcroot: case Qcroot:
qlock(&shrslk); qlock(&shrslk);
for(shr = shrs; shr && s; shr = shr->next) for(shr = shrs; shr && s; shr = shr->next)
s--; s--;
if(shr == nil){ if(shr == nil || (strlen(shr->name) >= sizeof(up->genbuf))){
qunlock(&shrslk); qunlock(&shrslk);
return -1; return -1;
} }
@ -323,11 +323,11 @@ shrgen(Chan *c, char*, Dirtab*, int, int s, Dir *dp)
rlock(&h->lock); rlock(&h->lock);
for(m = h->mount; m && s; m = m->next) for(m = h->mount; m && s; m = m->next)
s--; s--;
if(m == nil){ mpt = tompt(m);
if(m == nil || (strlen(mpt->name) >= sizeof(up->genbuf))){
runlock(&h->lock); runlock(&h->lock);
return -1; return -1;
} }
mpt = tompt(m);
kstrcpy(up->genbuf, mpt->name, sizeof up->genbuf); kstrcpy(up->genbuf, mpt->name, sizeof up->genbuf);
devdir(c, shrqid(Qcmpt, mpt->id), up->genbuf, 0, mpt->owner, mpt->perm, dp); devdir(c, shrqid(Qcmpt, mpt->id), up->genbuf, 0, mpt->owner, mpt->perm, dp);
runlock(&h->lock); runlock(&h->lock);
@ -460,7 +460,8 @@ shrcreate(Chan *c, char *name, int omode, ulong perm)
case Qcroot: case Qcroot:
if((perm & DMDIR) == 0 || openmode(omode) != OREAD) if((perm & DMDIR) == 0 || openmode(omode) != OREAD)
error(Eperm); error(Eperm);
if(strlen(name) >= sizeof(up->genbuf))
error(Egreg);
qlock(&shrslk); qlock(&shrslk);
if(waserror()){ if(waserror()){
qunlock(&shrslk); qunlock(&shrslk);
@ -497,6 +498,9 @@ shrcreate(Chan *c, char *name, int omode, ulong perm)
error(Eperm); error(Eperm);
devpermcheck(shr->owner, shr->perm, ORDWR); devpermcheck(shr->owner, shr->perm, ORDWR);
if(strlen(name) >= sizeof(up->genbuf))
error(Egreg);
h = &shr->umh; h = &shr->umh;
wlock(&h->lock); wlock(&h->lock);
if(waserror()){ if(waserror()){
@ -652,14 +656,14 @@ shrwstat(Chan *c, uchar *dp, int n)
if(d.name && *d.name && strcmp(ent->name, d.name) != 0) { if(d.name && *d.name && strcmp(ent->name, d.name) != 0) {
if(strchr(d.name, '/') != nil) if(strchr(d.name, '/') != nil)
error(Ebadchar); error(Ebadchar);
if(strlen(d.name) >= sizeof(up->genbuf))
error(Egreg);
kstrdup(&ent->name, d.name); kstrdup(&ent->name, d.name);
} }
poperror(); poperror();
free(strs); free(strs);
switch(sch->level){ switch(sch->level){
default:
error(Egreg);
case Qcshr: case Qcshr:
poperror(); poperror();
qunlock(&shrslk); qunlock(&shrslk);

35
sys/src/9/port/devsrv.c
View file

@ -21,8 +21,18 @@ static QLock srvlk;
static Srv *srv; static Srv *srv;
static int qidpath; static int qidpath;
static Srv*
srvlookup(char *name, ulong qidpath)
{
Srv *sp;
for(sp = srv; sp; sp = sp->link)
if(sp->path == qidpath || (name && strcmp(sp->name, name) == 0))
return sp;
return nil;
}
static int static int
srvgen(Chan *c, char*, Dirtab*, int, int s, Dir *dp) srvgen(Chan *c, char *name, Dirtab*, int, int s, Dir *dp)
{ {
Srv *sp; Srv *sp;
Qid q; Qid q;
@ -33,14 +43,16 @@ srvgen(Chan *c, char*, Dirtab*, int, int s, Dir *dp)
} }
qlock(&srvlk); qlock(&srvlk);
if(name)
sp = srvlookup(name, -1);
else {
for(sp = srv; sp && s; sp = sp->link) for(sp = srv; sp && s; sp = sp->link)
s--; s--;
}
if(sp == 0) { if(sp == 0 || (strlen(sp->name) >= sizeof(up->genbuf))) {
qunlock(&srvlk); qunlock(&srvlk);
return -1; return -1;
} }
mkqid(&q, sp->path, 0, QTFILE); mkqid(&q, sp->path, 0, QTFILE);
/* make sure name string continues to exist after we release lock */ /* make sure name string continues to exist after we release lock */
kstrcpy(up->genbuf, sp->name, sizeof up->genbuf); kstrcpy(up->genbuf, sp->name, sizeof up->genbuf);
@ -67,16 +79,6 @@ srvwalk(Chan *c, Chan *nc, char **name, int nname)
return devwalk(c, nc, name, nname, 0, 0, srvgen); return devwalk(c, nc, name, nname, 0, 0, srvgen);
} }
static Srv*
srvlookup(char *name, ulong qidpath)
{
Srv *sp;
for(sp = srv; sp; sp = sp->link)
if(sp->path == qidpath || (name && strcmp(sp->name, name) == 0))
return sp;
return nil;
}
static int static int
srvstat(Chan *c, uchar *db, int n) srvstat(Chan *c, uchar *db, int n)
{ {
@ -145,6 +147,9 @@ srvcreate(Chan *c, char *name, int omode, ulong perm)
if(openmode(omode) != OWRITE) if(openmode(omode) != OWRITE)
error(Eperm); error(Eperm);
if(strlen(name) >= sizeof(up->genbuf))
error(Egreg);
sp = smalloc(sizeof *sp); sp = smalloc(sizeof *sp);
sname = smalloc(strlen(name)+1); sname = smalloc(strlen(name)+1);
@ -260,6 +265,8 @@ srvwstat(Chan *c, uchar *dp, int n)
if(d.name && *d.name && strcmp(sp->name, d.name) != 0) { if(d.name && *d.name && strcmp(sp->name, d.name) != 0) {
if(strchr(d.name, '/') != nil) if(strchr(d.name, '/') != nil)
error(Ebadchar); error(Ebadchar);
if(strlen(d.name) >= sizeof(up->genbuf))
error(Egreg);
kstrdup(&sp->name, d.name); kstrdup(&sp->name, d.name);
} }
qunlock(&srvlk); qunlock(&srvlk);