diff options
author | Mike Frysinger <vapier@gentoo.org> | 2015-08-28 17:08:49 -0400 |
---|---|---|
committer | Mike Frysinger <vapier@gentoo.org> | 2015-08-29 18:07:00 -0400 |
commit | b0e805fa0d6fea33745952df7b7f5442ca4c374f (patch) | |
tree | 1912c70048e9a9a4a48681f37d0dd692265cd693 /misc/tst-mntent-blank-corrupt.c | |
parent | 30da407eca459329e060d0412c3fa6710f657e83 (diff) | |
download | glibc-b0e805fa0d6fea33745952df7b7f5442ca4c374f.tar glibc-b0e805fa0d6fea33745952df7b7f5442ca4c374f.tar.gz glibc-b0e805fa0d6fea33745952df7b7f5442ca4c374f.tar.bz2 glibc-b0e805fa0d6fea33745952df7b7f5442ca4c374f.zip |
getmntent: fix memory corruption w/blank lines [BZ #18887]
The fix for BZ #17273 introduced a single byte of memory corruption when
the line is entirely blank. It would walk back past the start of the
buffer if the heap happened to be 0x20 or 0x09 and then write a NUL byte.
buffer = '\n';
end_ptr = buffer;
while (end_ptr[-1] == ' ' || end_ptr[-1] == '\t')
end_ptr--;
*end_ptr = '\0';
Fix that and rework the tests. Adding the testcase for BZ #17273 to the
existing \040 parser does not really make sense as it's unrelated, and
leads to confusing behavior: it implicitly relies on the new entry being
longer than the previous entry (since it just rewinds the FILE*). Split
it out into its own dedicated testcase instead.
Diffstat (limited to 'misc/tst-mntent-blank-corrupt.c')
-rw-r--r-- | misc/tst-mntent-blank-corrupt.c | 45 |
1 files changed, 45 insertions, 0 deletions
diff --git a/misc/tst-mntent-blank-corrupt.c b/misc/tst-mntent-blank-corrupt.c new file mode 100644 index 0000000000..92266a35b5 --- /dev/null +++ b/misc/tst-mntent-blank-corrupt.c @@ -0,0 +1,45 @@ +/* Make sure blank lines does not cause memory corruption BZ #18887. + + Copyright (C) 2009-2015 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + <http://www.gnu.org/licenses/>. */ + +#include <mntent.h> +#include <stdio.h> +#include <string.h> + +/* Make sure blank lines don't trigger memory corruption. This doesn't happen + for all targets though, so it's a best effort test BZ #18887. */ +static int +do_test (void) +{ + FILE *fp; + + fp = tmpfile (); + fputs ("\n \n/foo\\040dir /bar\\040dir auto bind \t \n", fp); + rewind (fp); + + /* The corruption happens here ... */ + getmntent (fp); + /* ... but trigers here. */ + endmntent (fp); + + /* If the test failed, we would crash, and not hit this point. */ + return 0; +} + +#define TEST_FUNCTION do_test () +#include "../test-skeleton.c" |