From patchwork Tue Jun 5 10:11:49 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Thomas Huth X-Patchwork-Id: 925384 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 410SK71JT7z9s2k for ; Tue, 5 Jun 2018 20:12:11 +1000 (AEST) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=redhat.com Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 410SK670B5zF1nF for ; Tue, 5 Jun 2018 20:12:10 +1000 (AEST) Authentication-Results: lists.ozlabs.org; dmarc=pass (p=none dis=none) header.from=redhat.com X-Original-To: slof@lists.ozlabs.org Delivered-To: slof@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=redhat.com (client-ip=66.187.233.73; helo=mx1.redhat.com; envelope-from=thuth@redhat.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=pass (p=none dis=none) header.from=redhat.com Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 410SJs50w7zF1ls for ; Tue, 5 Jun 2018 20:11:57 +1000 (AEST) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 95330402382F; Tue, 5 Jun 2018 10:11:55 +0000 (UTC) Received: from thh440s.redhat.com (ovpn-116-62.ams2.redhat.com [10.36.116.62]) by smtp.corp.redhat.com (Postfix) with ESMTP id 6DD90210C6C0; Tue, 5 Jun 2018 10:11:54 +0000 (UTC) From: Thomas Huth To: slof@lists.ozlabs.org Date: Tue, 5 Jun 2018 12:11:49 +0200 Message-Id: <1528193509-7063-4-git-send-email-thuth@redhat.com> In-Reply-To: <1528193509-7063-1-git-send-email-thuth@redhat.com> References: <1528193509-7063-1-git-send-email-thuth@redhat.com> X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.6]); Tue, 05 Jun 2018 10:11:55 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.6]); Tue, 05 Jun 2018 10:11:55 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'thuth@redhat.com' RCPT:'' Subject: [SLOF] [PATCH v2 3/3] lib/libnet/pxelinux: Fix two off-by-one bugs in the pxelinux.cfg parser X-BeenThere: slof@lists.ozlabs.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Patches for https://github.com/aik/SLOF" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Greg Kurz MIME-Version: 1.0 Errors-To: slof-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "SLOF" There are two small bugs in the pxelinux.cfg parser: 1. If the file does not end with a '\n', the code set 'eol = cfg + cfgsize' and later wrote a NUL character to *eol, i.e. it wrote the NUL character beyond the end of the buffer. We've got to use 'eol = cfg + cfgsize - 1' instead. 2. The code always replaced the last byte of the buffer with a NUL character to get a proper termination. If the config file ends with a required character (e.g. the last line is a KERNEL or INITRD line and the file does not have a '\n' at the end), the last character got lost. Move the obligation for the terminating NUL character to the caller instead so that we can be sure to have a proper terminated buffer in pxelinux_parse_cfg() without the need to blindly overwrite the last character here. Reviewed-by: Greg Kurz Signed-off-by: Thomas Huth --- lib/libnet/pxelinux.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/lib/libnet/pxelinux.c b/lib/libnet/pxelinux.c index 939a92c..c4ac5d5 100644 --- a/lib/libnet/pxelinux.c +++ b/lib/libnet/pxelinux.c @@ -151,8 +151,9 @@ static int pxelinux_load_cfg(filename_ip_t *fn_ip, uint8_t *mac, const char *uui * in entries point to the original location in the cfg buffer area. The cfg * buffer is altered for this, too, e.g. terminating NUL-characters are put * into the right locations. - * @param cfg Pointer to the buffer with contents of the config file - * @param cfgsize Size of the cfg buffer + * @param cfg Pointer to the buffer with contents of the config file. + * The caller must make sure that it is NUL-terminated. + * @param cfgsize Size of the cfg data (including the terminating NUL) * @param entries Pointer to array where the results should be put into * @param max_entries Number of available slots in the entries array * @param def_ent Used to return the index of the default entry @@ -167,12 +168,10 @@ int pxelinux_parse_cfg(char *cfg, int cfgsize, struct pl_cfg_entry *entries, *def_ent = 0; - cfg[cfgsize - 1] = 0; /* Make sure it is NUL-terminated */ - while (ptr < cfg + cfgsize && num_entries < max_entries) { eol = strchr(ptr, '\n'); if (!eol) { - eol = cfg + cfgsize; + eol = cfg + cfgsize - 1; } nextptr = eol + 1; do { @@ -246,5 +245,7 @@ int pxelinux_load_parse_cfg(filename_ip_t *fn_ip, uint8_t *mac, const char *uuid return rc; assert(rc < cfgsize); + cfgbuf[rc++] = '\0'; /* Make sure it is NUL-terminated */ + return pxelinux_parse_cfg(cfgbuf, rc, entries, max_entries, def_ent); }