From patchwork Tue May 30 14:10:07 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nikolay Borisov X-Patchwork-Id: 9754653 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id BBDB1602B9 for ; Tue, 30 May 2017 14:10:14 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id AEC61268AE for ; Tue, 30 May 2017 14:10:14 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id A371328474; Tue, 30 May 2017 14:10:14 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 81D72268AE for ; Tue, 30 May 2017 14:10:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751127AbdE3OKM (ORCPT ); Tue, 30 May 2017 10:10:12 -0400 Received: from mx2.suse.de ([195.135.220.15]:51462 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1751004AbdE3OKM (ORCPT ); Tue, 30 May 2017 10:10:12 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (charybdis-ext.suse.de [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id 0D6D1AAAD; Tue, 30 May 2017 14:10:11 +0000 (UTC) From: Nikolay Borisov To: eguan@redhat.com Cc: fstests@vger.kernel.org, Nikolay Borisov Subject: [PATCHv2] src/listxattr: Fix reading past the end of the user buffer Date: Tue, 30 May 2017 17:10:07 +0300 Message-Id: <1496153407-6060-1-git-send-email-nborisov@suse.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1496152288-4101-1-git-send-email-nborisov@suse.com> References: <1496152288-4101-1-git-send-email-nborisov@suse.com> Sender: fstests-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: fstests@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP listxattr reaturns a null-terminated list of entries that represent the xattr names. However, if it is passed larger buffer than it requires it won't zero-out the rest of the memory. The way the loop iterator in listxattr.c is written makes it go print every null-terminated entry up to bufsize (which is user passed parameter). This can lead to a situation where listxattr users N bytes out of M bytes big buffer ( M > N). This will leave the rest (M-N) as garbage, which in turn will be printed by listxattr. Fix this by converting the 'for' loop to 'while' and properly ensuring we are reading at most howevermany elements the syscall reported it returned Signed-off-by: Nikolay Borisov --- v2: Rewrite the loop, hopefully making the code a bit more legible. Functionally it's the same as my previous fix src/listxattr.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/listxattr.c b/src/listxattr.c index cd46637a..584ebb2d 100644 --- a/src/listxattr.c +++ b/src/listxattr.c @@ -60,10 +60,10 @@ int main(int argc, char **argv) if (ret < 0) { perror("listxattr"); } else { - char *l; - for (l = buf; l != (buf + bufsize) && *l != '\0'; - l = strchr(l, '\0') + 1) { + char *l = buf; + while (l != (buf + ret)) { printf("xattr: %s\n", l); + l = strchr(l, '\0') + 1; } }