Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/usr.sbin/makemandb Avoid possible buffer overflow while pars...



details:   https://anonhg.NetBSD.org/src/rev/ebb57bc8e921
branches:  trunk
changeset: 816444:ebb57bc8e921
user:      abhinav <abhinav%NetBSD.org@localhost>
date:      Wed Jul 06 08:52:01 2016 +0000

description:
Avoid possible buffer overflow while parsing NAME section of man(7) pages.
Also, simplify copyging of strings, use estrdupn instead of emalloc + memcpy.

Patch from christos@, XXX comment by me

diffstat:

 usr.sbin/makemandb/makemandb.c |  26 +++++++++++++++-----------
 1 files changed, 15 insertions(+), 11 deletions(-)

diffs (71 lines):

diff -r 8114c8b31bcd -r ebb57bc8e921 usr.sbin/makemandb/makemandb.c
--- a/usr.sbin/makemandb/makemandb.c    Wed Jul 06 08:42:34 2016 +0000
+++ b/usr.sbin/makemandb/makemandb.c    Wed Jul 06 08:52:01 2016 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: makemandb.c,v 1.38 2016/07/05 16:24:18 abhinav Exp $   */
+/*     $NetBSD: makemandb.c,v 1.39 2016/07/06 08:52:01 abhinav Exp $   */
 /*
  * Copyright (c) 2011 Abhinav Upadhyay <er.abhinav.upadhyay%gmail.com@localhost>
  * Copyright (c) 2011 Kristaps Dzonsons <kristaps%bsd.lv@localhost>
@@ -17,7 +17,7 @@
  */
 
 #include <sys/cdefs.h>
-__RCSID("$NetBSD: makemandb.c,v 1.38 2016/07/05 16:24:18 abhinav Exp $");
+__RCSID("$NetBSD: makemandb.c,v 1.39 2016/07/06 08:52:01 abhinav Exp $");
 
 #include <sys/stat.h>
 #include <sys/types.h>
@@ -1312,7 +1312,7 @@
  *    (c) Move on to the one line description section, which is after the list
  *        of names in the NAME section.
  *  2. Otherwise, it will check the section name and call the man_parse_section
- *     function, passing the enum corresponding that section.
+ *     function, passing the enum corresponding to that section.
  */
 static void
 pman_sh(const struct man_node *n, mandb_rec *rec)
@@ -1391,7 +1391,7 @@
                int has_alias = 0;      // Any more aliases left?
                while (*name_desc) {
                        /* Remove any leading spaces or hyphens. */
-                       if (name_desc[0] == ' ' || name_desc[0] =='-') {
+                       if (name_desc[0] == ' ' || name_desc[0] == '-') {
                                name_desc++;
                                continue;
                        }
@@ -1401,9 +1401,11 @@
                        if (rec->name == NULL) {
                                if (name_desc[sz] == ',')
                                        has_alias = 1;
-                               name_desc[sz] = 0;
-                               rec->name = emalloc(sz + 1);
-                               memcpy(rec->name, name_desc, sz + 1);
+                               rec->name = estrndup(name_desc, sz);
+                               /* XXX This would only happen with a poorly
+                                * written man page, maybe warn? */
+                               if (name_desc[sz] == '\0')
+                                       break;
                                name_desc += sz + 1;
                                continue;
                        }
@@ -1414,13 +1416,15 @@
                         */
                        if (rec->name && has_alias) {
                                if (name_desc[sz] != ',') {
-                                       /* No more commas left -->
-                                        * no more aliases to take out
-                                        */
+                                       /* No more commas left --> no more
+                                        * aliases to take out */
                                        has_alias = 0;
                                }
-                               name_desc[sz] = 0;
                                concat2(&rec->links, name_desc, sz);
+                               /* XXX This would only happen with a poorly
+                                * written man page, maybe warn? */
+                               if (name_desc[sz] == '\0')
+                                       break;
                                name_desc += sz + 1;
                                continue;
                        }



Home | Main Index | Thread Index | Old Index