[PATCH] mdev regex fix

Denys Vlasenko vda.linux at googlemail.com
Fri May 23 20:51:44 UTC 2008


On Friday 23 May 2008 14:36, Natanael Copa wrote:
> forgot to attach the patch.
> sorry
> 
> On Fri, 2008-05-23 at 14:30 +0200, Natanael Copa wrote:
> > mdev in busybox-1.10.2 has a bug:
> > 
> > mdev.conf:
> > zap(.+)		root:dialout 0660 =zap/%1
> > 
> > When expanding the %1 regex, string will not be terminated with a '\0'
> > properly causing interesting results in /dev. 
> > 
> > # ls /dev/zap/
> > channel  ctlS
    ctlT
    pseudo   timer
> > 
> > 
> > Attatched patch fixes the issue. (for 1.10.2 + current patches)

Strange. It means that we allocate too small an alias,
because otherwise it would be NUL terminated because of xzalloc!

                                /* substitute %1..9 with off[1..9], if any */
                                n = 0;
                                s = val;
                                while (*s && *s++ == '%')
                                        n++;

=======>                        p = alias = xzalloc(strlen(val) + n * strlen(device_name));
                                s = val + 1;
                                while (*s) {
                                        *p = *s;
                                        if ('%' == *s) {
                                                i = (s[1] - '0');
                                                if (i <= 9 && off[i].rm_so >= 0) {
                                                        n = off[i].rm_eo - off[i].rm_so;
                                                        strncpy(p, device_name + off[i].rm_so, n);
                                                        p += n - 1;
                                                        s++;
                                                }
                                        }
                                        p++;
                                        s++;
                                }

The replacement string starts at val+1. If val has no '%', its length is
strlen(val+1), with terminating NUL it is strlen(val+1) + 1 == strlen(val).

Each '%' is substituted by device_name at max (meaning: it can be substituted
by just a part of device_name, or the whole device_name). We have n '%' chars,
so we need at most strlen(val) + n * strlen(device_name) chars, including NUL.

In your example:

mdev.conf:
zap(.+)         root:dialout 0660 =zap/%1

strlen(val) + n * strlen(device_name) == 7 + strlen(device_name).
If device_name == "zap.ctlT", it's 7+8 = 15, and it's enough for "zap/ctlT".

I am obviously wrong somewhere, but I don't see where.
--
vda



More information about the busybox mailing list