xfnw/plan9fox
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

libauth: fix out of bounds memory access in _parseattr()

Browse source 
empty token would read ""[-1] accidentally in the AttrQuery case.
This commit is contained in:
cinap_lenrek 2018-01-01 23:23:55 +01:00
parent f7b0cc7a64
commit 4edc761024
1 changed files with 6 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

20
sys/src/libauth/attr.c
View file

@ -128,7 +128,7 @@ Attr*
_parseattr(char *s) _parseattr(char *s)
{ {
char *p, *t, *tok[256]; char *p, *t, *tok[256];
int i, ntok, type; int i, ntok;
Attr *a; Attr *a;
s = strdup(s); s = strdup(s);
@ -139,25 +139,17 @@ _parseattr(char *s)
a = nil; a = nil;
for(i=ntok-1; i>=0; i--){ for(i=ntok-1; i>=0; i--){
t = tok[i]; t = tok[i];
if(p = strchr(t, '=')){ if((p = strchr(t, '=')) != nil){
*p++ = '\0'; *p++ = '\0';
// if(p-2 >= t && p[-2] == ':'){ a = _mkattr(AttrNameval, t, p, a);
// p[-2] = '\0'; }else if((p = strchr(t, '\0')-1) >= t && *p == '?'){
// type = AttrDefault; *p = '\0';
// }else
type = AttrNameval;
a = _mkattr(type, t, p, a);
setmalloctag(a, getcallerpc(&s));
}
else if(t[strlen(t)-1] == '?'){
t[strlen(t)-1] = '\0';
a = _mkattr(AttrQuery, t, "", a); a = _mkattr(AttrQuery, t, "", a);
setmalloctag(a, getcallerpc(&s));
}else{ }else{
/* really a syntax error, but better to provide some indication */ /* really a syntax error, but better to provide some indication */
a = _mkattr(AttrNameval, t, "", a); a = _mkattr(AttrNameval, t, "", a);
setmalloctag(a, getcallerpc(&s));
} }
setmalloctag(a, getcallerpc(&s));
} }
free(s); free(s);
return cleanattr(a); return cleanattr(a);