diff options
| author | Alex Wilson <alex.wilson@joyent.com> | 2015-08-19 09:19:31 -0700 |
|---|---|---|
| committer | Alex Wilson <alex.wilson@joyent.com> | 2015-08-19 17:31:16 -0700 |
| commit | 8ef72979d98b14b9615277a3430a010a802f8d3a (patch) | |
| tree | 4c29fc2708f6c3e7c7477779deee5ad7c951f8b5 /usr/src/uts | |
| parent | 6249976e8c54b3191762b1c53e2439f30bc7b1b9 (diff) | |
| download | illumos-joyent-20150820.tar.gz | |
OS-4660 lxproc new core_pattern support does not validate output length correctly20150820release-20150820
OS-4662 lx_proc core_pattern doesn't handle pipe to exec
Reviewed by: Robert Mustacchi <robert.mustacchi@joyent.com>
Diffstat (limited to 'usr/src/uts')
| -rw-r--r-- | usr/src/uts/common/brand/lx/procfs/lx_proc.h | 4 | ||||
| -rw-r--r-- | usr/src/uts/common/brand/lx/procfs/lx_prsubr.c | 32 | ||||
| -rw-r--r-- | usr/src/uts/common/brand/lx/procfs/lx_prvnops.c | 20 |
3 files changed, 45 insertions, 11 deletions
diff --git a/usr/src/uts/common/brand/lx/procfs/lx_proc.h b/usr/src/uts/common/brand/lx/procfs/lx_proc.h index 0ba3b8826f..ffc562d003 100644 --- a/usr/src/uts/common/brand/lx/procfs/lx_proc.h +++ b/usr/src/uts/common/brand/lx/procfs/lx_proc.h @@ -327,8 +327,8 @@ extern void lxpr_zfs_end_iter(lxpr_zfs_iter_t *); extern int lxpr_zfs_next_zvol(lxpr_mnt_t *, char *, zfs_cmd_t *, lxpr_zfs_iter_t *); -extern void lxpr_core_path_l2s(const char *, char *); -extern void lxpr_core_path_s2l(const char *, char *); +extern int lxpr_core_path_l2s(const char *, char *, size_t); +extern int lxpr_core_path_s2l(const char *, char *, size_t); proc_t *lxpr_lock(pid_t); void lxpr_unlock(proc_t *); diff --git a/usr/src/uts/common/brand/lx/procfs/lx_prsubr.c b/usr/src/uts/common/brand/lx/procfs/lx_prsubr.c index ce6e9ced50..bfc72a226d 100644 --- a/usr/src/uts/common/brand/lx/procfs/lx_prsubr.c +++ b/usr/src/uts/common/brand/lx/procfs/lx_prsubr.c @@ -592,13 +592,13 @@ lxpr_freenode(lxpr_node_t *lxpnp) * Any % escape sequences that are not recognised are double-escaped so that * they will be inserted literally into the path (to mimic Linux). */ -void -lxpr_core_path_l2s(const char *inp, char *outp) +int +lxpr_core_path_l2s(const char *inp, char *outp, size_t outsz) { int i = 0, j = 0; char x; - while (i < MAXPATHLEN && j < MAXPATHLEN - 1) { + while (j < outsz - 1) { x = inp[i++]; if (x == '\0') break; @@ -608,8 +608,17 @@ lxpr_core_path_l2s(const char *inp, char *outp) } x = inp[i++]; + if (x == '\0') + break; + + /* Make sure we have enough space in the output buffer. */ + if (j + 2 >= outsz - 1) + return (EINVAL); + switch (x) { case 'E': + if (j + 4 >= outsz - 1) + return (EINVAL); outp[j++] = '%'; outp[j++] = 'd'; outp[j++] = '%'; @@ -633,6 +642,8 @@ lxpr_core_path_l2s(const char *inp, char *outp) break; default: /* No translation, make it literal. */ + if (j + 3 >= outsz - 1) + return (EINVAL); outp[j++] = '%'; outp[j++] = '%'; outp[j++] = x; @@ -641,18 +652,19 @@ lxpr_core_path_l2s(const char *inp, char *outp) } outp[j] = '\0'; + return (0); } /* * Translate an Illumos core pattern path back to Linux format. */ -void -lxpr_core_path_s2l(const char *inp, char *outp) +int +lxpr_core_path_s2l(const char *inp, char *outp, size_t outsz) { int i = 0, j = 0; char x; - while (i < MAXPATHLEN && j < MAXPATHLEN - 1) { + while (j < outsz - 1) { x = inp[i++]; if (x == '\0') break; @@ -662,6 +674,13 @@ lxpr_core_path_s2l(const char *inp, char *outp) } x = inp[i++]; + if (x == '\0') + break; + + /* Make sure we have enough space in the output buffer. */ + if (j + 2 >= outsz - 1) + return (EINVAL); + switch (x) { case 'd': /* No Linux equivalent unless it's %d%f. */ @@ -695,6 +714,7 @@ lxpr_core_path_s2l(const char *inp, char *outp) } outp[j] = '\0'; + return (0); } /* diff --git a/usr/src/uts/common/brand/lx/procfs/lx_prvnops.c b/usr/src/uts/common/brand/lx/procfs/lx_prvnops.c index 1c3736d0bd..5569b29b58 100644 --- a/usr/src/uts/common/brand/lx/procfs/lx_prvnops.c +++ b/usr/src/uts/common/brand/lx/procfs/lx_prvnops.c @@ -3977,9 +3977,19 @@ lxpr_read_sys_kernel_corepatt(lxpr_node_t *lxpnp, lxpr_uiobuf_t *uiobuf) refstr_hold(rp); mutex_exit(&ccp->ccp_mtx); - lxpr_core_path_s2l(refstr_value(rp), tr); - refstr_rele(rp); + if (rp == NULL) { + lxpr_uiobuf_printf(uiobuf, "\n"); + return; + } + bzero(tr, sizeof (tr)); + if (lxpr_core_path_s2l(refstr_value(rp), tr, sizeof (tr)) != 0) { + refstr_rele(rp); + lxpr_uiobuf_printf(uiobuf, "\n"); + return; + } + + refstr_rele(rp); lxpr_uiobuf_printf(uiobuf, "%s\n", tr); } @@ -5913,7 +5923,11 @@ lxpr_write_sys_kernel_corepatt(lxpr_node_t *lxpnp, struct uio *uio, if (val[olen - 1] == '\n') val[olen - 1] = '\0'; - lxpr_core_path_l2s(val, valtr); + if (val[0] == '|') + return (EINVAL); + + if ((error = lxpr_core_path_l2s(val, valtr, sizeof (valtr))) != 0) + return (error); nrp = refstr_alloc(valtr); |