[PATCH] mdev regex fix

Natanael Copa natanael.copa at gmail.com
Sat May 24 07:22:02 UTC 2008 

On Fri, 2008-05-23 at 22:51 +0200, Denys Vlasenko wrote:
> On Friday 23 May 2008 14:36, Natanael Copa wrote:
> > forgot to attach the patch.
> > sorry
> > 
> > On Fri, 2008-05-23 at 14:30 +0200, Natanael Copa wrote:
> > > mdev in busybox-1.10.2 has a bug:
> > > 
> > > mdev.conf:
> > > zap(.+)		root:dialout 0660 =zap/%1
> > > 
> > > When expanding the %1 regex, string will not be terminated with a '\0'
> > > properly causing interesting results in /dev. 
> > > 
> > > # ls /dev/zap/
> > > channel  ctlS
    ctlT
    pseudo   timer
> > > 
> > > 
> > > Attatched patch fixes the issue. (for 1.10.2 + current patches)
> 
> Strange. It means that we allocate too small an alias,
> because otherwise it would be NUL terminated because of xzalloc!

You are absolutely right. Didn't think of that.

> 
>                                 /* substitute %1..9 with off[1..9], if any */
>                                 n = 0;
>                                 s = val;

Problem is in the line below here (yeah, i got tricked by it too and
assumed that the buf was big enough). It does not do what you think it
does:

>                                 while (*s && *s++ == '%')
>                                         n++;

Should be:

	while (*s)
		if (*s++ == '%')
			n++;


> 
> =======>                        p = alias = xzalloc(strlen(val) + n * strlen(device_name));
>                                 s = val + 1;
>                                 while (*s) {
>                                         *p = *s;
>                                         if ('%' == *s) {
>                                                 i = (s[1] - '0');
>                                                 if (i <= 9 && off[i].rm_so >= 0) {
>                                                         n = off[i].rm_eo - off[i].rm_so;
>                                                         strncpy(p, device_name + off[i].rm_so, n);
>                                                         p += n - 1;
>                                                         s++;
>                                                 }
>                                         }
>                                         p++;
>                                         s++;
>                                 }
> 
> The replacement string starts at val+1. If val has no '%', its length is
> strlen(val+1), with terminating NUL it is strlen(val+1) + 1 == strlen(val).
> 
> Each '%' is substituted by device_name at max (meaning: it can be substituted
> by just a part of device_name, or the whole device_name). We have n '%' chars,
> so we need at most strlen(val) + n * strlen(device_name) chars, including NUL.
> 
> In your example:
> 
> mdev.conf:
> zap(.+)         root:dialout 0660 =zap/%1
> 
> strlen(val) + n * strlen(device_name) == 7 + strlen(device_name).
> If device_name == "zap.ctlT", it's 7+8 = 15, and it's enough for "zap/ctlT".
> 
> I am obviously wrong somewhere, but I don't see where.

The problem was that n == 0.
If device_name == "zapctl" and n == 0 the buf size will end up as 7,
which is 1 too small for "zap/ctl".

> --
> vda

Attatched is updated patch.

-nc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: busybox-1.10.2-mdev-regex-fix2.patch
Type: text/x-patch
Size: 386 bytes
Desc: not available
Url : http://lists.busybox.net/pipermail/busybox/attachments/20080524/b8642cfe/attachment-0002.bin

More information about the busybox mailing list