Allocate one more byte so that we are always NUL-terminated, and remove

the extra commented out NUL-terminations. As suggested in: http://mail-index.netbsd.org/source-changes-d/2020/04/01/msg012470.html
2020-05-06 12:44:36 +00:00 · 2020-05-06 12:44:36 +00:00 · 81f24eb1c1
parent 45e7025978
commit 81f24eb1c1
2 changed files with 9 additions and 29 deletions
--- a/lib/librumpuser/rumpuser_sp.c
+++ b/lib/librumpuser/rumpuser_sp.c
@ -1,4 +1,4 @@
-/*      $NetBSD: rumpuser_sp.c,v 1.76 2020/05/06 07:25:26 kamil Exp $	*/
+/*      $NetBSD: rumpuser_sp.c,v 1.77 2020/05/06 12:44:36 christos Exp $	*/

 /*
 * Copyright (c) 2010, 2011 Antti Kantee.  All Rights Reserved.
@ -37,7 +37,7 @@
 #include "rumpuser_port.h"

 #if !defined(lint)
-__RCSID("$NetBSD: rumpuser_sp.c,v 1.76 2020/05/06 07:25:26 kamil Exp $");
+__RCSID("$NetBSD: rumpuser_sp.c,v 1.77 2020/05/06 12:44:36 christos Exp $");
 #endif /* !lint */

 #include <sys/types.h>
@ -699,10 +699,8 @@ serv_handlesyscall(struct spclient *spc, struct rsp_hdr *rhdr, uint8_t *data)
 }

 static void
-serv_handleexec(struct spclient *spc, struct rsp_hdr *rhdr, char *comm)
+serv_handleexec(struct spclient *spc, struct rsp_hdr *rhdr, const char *comm)
 {
-	size_t commlen = rhdr->rsp_len - HDRSZ;
-
 	pthread_mutex_lock(&spc->spc_mtx);
 	/* one for the connection and one for us */
 	while (spc->spc_refcnt > 2)
@ -715,14 +713,6 @@ serv_handleexec(struct spclient *spc, struct rsp_hdr *rhdr, char *comm)
 	 * very much).  proceed with exec.
 	 */

-#if 0 /* XXX triggers buffer overflow */
-	/* ensure comm is 0-terminated */
-	/* TODO: make sure it contains sensible chars? */
-	comm[commlen] = '\0';
-#else
-	(void)commlen;
-#endif
-
 	lwproc_switch(spc->spc_mainlwp);
 	lwproc_execnotify(comm);
 	lwproc_switch(NULL);
@ -980,22 +970,11 @@ handlereq(struct spclient *spc)
 		}

 		if (spc->spc_hdr.rsp_handshake == HANDSHAKE_GUEST) {
-			char *comm = (char *)spc->spc_buf;
-			size_t commlen = spc->spc_hdr.rsp_len - HDRSZ;
-
-#if 0 /* XXX triggers buffer overflow */
-			/* ensure it's 0-terminated */
-			/* XXX make sure it contains sensible chars? */
-			comm[commlen] = '\0';
-#else
-			(void)commlen;
-#endif
-
 			/* make sure we fork off of proc1 */
 			_DIAGASSERT(lwproc_curlwp() == NULL);

-			if ((error = lwproc_rfork(spc,
-			    RUMP_RFFD_CLEAR, comm)) != 0) {
+			if ((error = lwproc_rfork(spc, RUMP_RFFD_CLEAR,
+			    (const char *)spc->spc_buf)) != 0) {
 				shutdown(spc->spc_fd, SHUT_RDWR);
 			}

--- a/lib/librumpuser/sp_common.c
+++ b/lib/librumpuser/sp_common.c
@ -1,4 +1,4 @@
-/*      $NetBSD: sp_common.c,v 1.40 2020/03/24 01:13:41 kamil Exp $	*/
+/*      $NetBSD: sp_common.c,v 1.41 2020/05/06 12:44:36 christos Exp $	*/

 /*
 * Copyright (c) 2010, 2011 Antti Kantee.  All Rights Reserved.
@ -502,11 +502,12 @@ readframe(struct spclient *spc)
 			return 1;
 		}

-		spc->spc_buf = malloc(framelen - HDRSZ);
+		/* Add an extra byte so that we are always NUL-terminated */
+		spc->spc_buf = malloc(framelen - HDRSZ + 1);
 		if (spc->spc_buf == NULL) {
 			return -1;
 		}
-		memset(spc->spc_buf, 0, framelen - HDRSZ);
+		memset(spc->spc_buf, 0, framelen - HDRSZ + 1);

 		/* "fallthrough" */
 	} else {