. added checks for buffer sizes in sys_datacopy() functions in mfs,
print debug message if copy is truncated . increased buffer in lookup() to be PATH_MAX instead of NAME_MAX . sanity check in fetch_name() in vfs to see if name fits, and is null-terminated . first check i < NAME_MAX, then string[i] in search_dir, as we're not supposed to look at string[NAME_MAX]
This commit is contained in:
Ben Gras
parent
94b936d7c1
commit
722f1b2b9f
@ -106,3 +106,5 @@
|
||||
#define V2_INODE_SIZE usizeof (d2_inode) /* bytes in V2 dsk ino */
|
||||
#define V2_INDIRECTS(b) ((b)/V2_ZONE_NUM_SIZE) /* # zones/indir block */
|
||||
#define V2_INODES_PER_BLOCK(b) ((b)/V2_INODE_SIZE)/* # V2 dsk inodes/blk */
|
||||
|
||||
#define MFS_MIN(a,b) mfs_min_f(__FILE__,__LINE__,(a), (b))
|
||||
|
||||
@ -45,7 +45,7 @@ PUBLIC int fs_link()
|
||||
/* Copy the link name's last component */
|
||||
r = sys_datacopy(FS_PROC_NR, (vir_bytes) fs_m_in.REQ_PATH,
|
||||
SELF, (vir_bytes) string,
|
||||
(phys_bytes) fs_m_in.REQ_PATH_LEN);
|
||||
(phys_bytes) MFS_MIN(fs_m_in.REQ_PATH_LEN, sizeof(string)));
|
||||
|
||||
/* Temporarily open the file. */
|
||||
if ( (rip = get_inode(fs_dev, fs_m_in.REQ_LINKED_FILE)) == NIL_INODE) {
|
||||
@ -124,7 +124,7 @@ PUBLIC int fs_unlink()
|
||||
/* Copy the last component */
|
||||
r = sys_datacopy(FS_PROC_NR, (vir_bytes) fs_m_in.REQ_PATH,
|
||||
SELF, (vir_bytes) string,
|
||||
(phys_bytes) fs_m_in.REQ_PATH_LEN);
|
||||
(phys_bytes) MFS_MIN(fs_m_in.REQ_PATH_LEN, sizeof(string)));
|
||||
|
||||
if (r != OK) return r;
|
||||
|
||||
@ -305,7 +305,7 @@ PUBLIC int fs_rename()
|
||||
/* Copy the last component of the old name */
|
||||
r = sys_datacopy(FS_PROC_NR, (vir_bytes) fs_m_in.REQ_PATH,
|
||||
SELF, (vir_bytes) old_name,
|
||||
(phys_bytes) fs_m_in.REQ_PATH_LEN);
|
||||
(phys_bytes) MFS_MIN(fs_m_in.REQ_PATH_LEN, sizeof(old_name)));
|
||||
if (r != OK) return r;
|
||||
|
||||
/* Copy the last component of the new name */
|
||||
|
||||
@ -50,7 +50,9 @@ PUBLIC int fs_open()
|
||||
if (oflags & O_CREAT) {
|
||||
/* Copy the last component */
|
||||
err_code = sys_datacopy(FS_PROC_NR, (vir_bytes) fs_m_in.REQ_PATH,
|
||||
SELF, (vir_bytes) lastc, (phys_bytes) fs_m_in.REQ_PATH_LEN);
|
||||
SELF, (vir_bytes) lastc,
|
||||
(phys_bytes) MFS_MIN(fs_m_in.REQ_PATH_LEN,
|
||||
sizeof(lastc)));
|
||||
|
||||
if (err_code != OK) return err_code;
|
||||
|
||||
@ -164,7 +166,7 @@ PUBLIC int fs_create()
|
||||
|
||||
/* Copy the last component */
|
||||
err_code = sys_datacopy(FS_PROC_NR, (vir_bytes) fs_m_in.REQ_PATH,
|
||||
SELF, (vir_bytes) lastc, (phys_bytes) fs_m_in.REQ_PATH_LEN);
|
||||
SELF, (vir_bytes) lastc, (phys_bytes) MFS_MIN(fs_m_in.REQ_PATH_LEN, sizeof(lastc)));
|
||||
|
||||
if (err_code != OK) return err_code;
|
||||
|
||||
@ -213,7 +215,8 @@ PUBLIC int fs_mknod()
|
||||
|
||||
/* Copy the last component and set up caller's user and group id */
|
||||
err_code = sys_datacopy(FS_PROC_NR, (vir_bytes) fs_m_in.REQ_PATH, SELF,
|
||||
(vir_bytes) lastc, (phys_bytes) fs_m_in.REQ_PATH_LEN);
|
||||
(vir_bytes) lastc,
|
||||
(phys_bytes) MFS_MIN(fs_m_in.REQ_PATH_LEN, sizeof(lastc)));
|
||||
|
||||
if (err_code != OK) return err_code;
|
||||
|
||||
@ -248,7 +251,7 @@ PUBLIC int fs_mkdir()
|
||||
/* Copy the last component and set up caller's user and group id */
|
||||
err_code = sys_datacopy(FS_PROC_NR, (vir_bytes) fs_m_in.REQ_PATH, SELF,
|
||||
(vir_bytes) lastc, (phys_bytes)
|
||||
MIN(fs_m_in.REQ_PATH_LEN, NAME_MAX));
|
||||
MFS_MIN(fs_m_in.REQ_PATH_LEN, sizeof(lastc)));
|
||||
|
||||
if (err_code != OK) return err_code;
|
||||
|
||||
@ -323,7 +326,7 @@ PUBLIC int fs_slink()
|
||||
/* Copy the link name's last component */
|
||||
r = sys_datacopy(FS_PROC_NR, (vir_bytes) fs_m_in.REQ_PATH,
|
||||
SELF, (vir_bytes) string,
|
||||
(phys_bytes) fs_m_in.REQ_PATH_LEN);
|
||||
(phys_bytes) MFS_MIN(fs_m_in.REQ_PATH_LEN, sizeof(string)));
|
||||
|
||||
if (r != OK) return r;
|
||||
|
||||
|
||||
@ -34,7 +34,7 @@ FORWARD _PROTOTYPE( int ltraverse, (struct inode *rip, char *path,
|
||||
*===========================================================================*/
|
||||
PUBLIC int lookup()
|
||||
{
|
||||
char string[NAME_MAX];
|
||||
char string[PATH_MAX];
|
||||
struct inode *rip;
|
||||
int s_error, flags;
|
||||
|
||||
@ -42,7 +42,8 @@ PUBLIC int lookup()
|
||||
|
||||
/* Copy the pathname and set up caller's user and group id */
|
||||
err_code = sys_datacopy(FS_PROC_NR, (vir_bytes) fs_m_in.REQ_PATH, SELF,
|
||||
(vir_bytes) user_path, (phys_bytes) fs_m_in.REQ_PATH_LEN);
|
||||
(vir_bytes) user_path,
|
||||
(phys_bytes) MFS_MIN(fs_m_in.REQ_PATH_LEN, sizeof(string)));
|
||||
|
||||
if (err_code != OK) return err_code;
|
||||
|
||||
@ -60,7 +61,7 @@ PUBLIC int lookup()
|
||||
if (err_code != OK || (flags & PATH_PENULTIMATE)) {
|
||||
s_error = sys_datacopy(SELF_E, (vir_bytes) string, FS_PROC_NR,
|
||||
(vir_bytes) fs_m_in.REQ_USER_ADDR, (phys_bytes)
|
||||
MIN(strlen(string)+1, NAME_MAX));
|
||||
MFS_MIN(strlen(string)+1, NAME_MAX));
|
||||
if (s_error != OK) return s_error;
|
||||
}
|
||||
|
||||
@ -622,7 +623,7 @@ int flag; /* LOOK_UP, ENTER, DELETE or IS_EMPTY */
|
||||
|
||||
/* 'bp' now points to a directory block with space. 'dp' points to slot. */
|
||||
(void) memset(dp->d_name, 0, (size_t) NAME_MAX); /* clear entry */
|
||||
for (i = 0; string[i] && i < NAME_MAX; i++) dp->d_name[i] = string[i];
|
||||
for (i = 0; i < NAME_MAX && string[i]; i++) dp->d_name[i] = string[i];
|
||||
sp = ldir_ptr->i_sp;
|
||||
dp->d_ino = conv4(sp->s_native, (int) *numb);
|
||||
bp->b_dirt = DIRTY;
|
||||
@ -668,3 +669,4 @@ char string[NAME_MAX]; /* the final component is returned here */
|
||||
|
||||
return parse_path(path, string, LAST_DIR);
|
||||
}
|
||||
|
||||
|
||||
@ -193,20 +193,3 @@ _PROTOTYPE( struct buf *new_block, (struct inode *rip, off_t position) );
|
||||
_PROTOTYPE( void zero_block, (struct buf *bp) );
|
||||
_PROTOTYPE( int write_map, (struct inode *, off_t, zone_t, int) );
|
||||
|
||||
/* select.c */
|
||||
_PROTOTYPE( int do_select, (void) );
|
||||
_PROTOTYPE( int select_callback, (struct filp *, int ops) );
|
||||
_PROTOTYPE( void select_forget, (int fproc) );
|
||||
_PROTOTYPE( void select_timeout_check, (timer_t *) );
|
||||
_PROTOTYPE( void init_select, (void) );
|
||||
_PROTOTYPE( void select_unsuspend_by_endpt, (int proc) );
|
||||
_PROTOTYPE( int select_notified, (int major, int minor, int ops) );
|
||||
|
||||
/* timers.c */
|
||||
_PROTOTYPE( void fs_set_timer, (timer_t *tp, int delta, tmr_func_t watchdog, int arg));
|
||||
_PROTOTYPE( void fs_expire_timers, (clock_t now) );
|
||||
_PROTOTYPE( void fs_cancel_timer, (timer_t *tp) );
|
||||
_PROTOTYPE( void fs_init_timer, (timer_t *tp) );
|
||||
|
||||
/* cdprobe.c */
|
||||
_PROTOTYPE( int cdprobe, (void) );
|
||||
|
||||
@ -90,4 +90,10 @@ PUBLIC time_t clock_time()
|
||||
return( (time_t) (boottime + (uptime/HZ)));
|
||||
}
|
||||
|
||||
|
||||
int mfs_min_f(char *file, int line, int v1, int v2)
|
||||
{
|
||||
if(v2 >= v1) return v1;
|
||||
printf("mfs:%s:%d: truncated %d to %d\n",
|
||||
file, line, v1, v2);
|
||||
return v2;
|
||||
}
|
||||
|
||||
@ -35,6 +35,10 @@ int flag; /* M3 means path may be in message */
|
||||
register char *rpu, *rpm;
|
||||
int r;
|
||||
|
||||
if(len >= sizeof(user_fullpath)) {
|
||||
panic(__FILE__, "fetch_name: len too much for user_fullpath", len);
|
||||
}
|
||||
|
||||
/* Check name length for validity. */
|
||||
if (len <= 0) {
|
||||
err_code = EINVAL;
|
||||
@ -58,6 +62,16 @@ int flag; /* M3 means path may be in message */
|
||||
FS_PROC_NR, (vir_bytes) user_fullpath, (phys_bytes) len);
|
||||
}
|
||||
|
||||
if(user_fullpath[len-1] != '\0') {
|
||||
int i;
|
||||
printf("fetch_name: name not null-terminated: ");
|
||||
for(i = 0; i < len; i++) {
|
||||
printf("%c", user_fullpath[i]);
|
||||
}
|
||||
printf("\n");
|
||||
user_fullpath[len-1] = '\0';
|
||||
}
|
||||
|
||||
return(r);
|
||||
}
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user