Allocate one more byte so that we are always NUL-terminated, and remove
the extra commented out NUL-terminations. As suggested in: http://mail-index.netbsd.org/source-changes-d/2020/04/01/msg012470.html
This commit is contained in:
parent
45e7025978
commit
81f24eb1c1
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: rumpuser_sp.c,v 1.76 2020/05/06 07:25:26 kamil Exp $ */
|
||||
/* $NetBSD: rumpuser_sp.c,v 1.77 2020/05/06 12:44:36 christos Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2010, 2011 Antti Kantee. All Rights Reserved.
|
||||
|
@ -37,7 +37,7 @@
|
|||
#include "rumpuser_port.h"
|
||||
|
||||
#if !defined(lint)
|
||||
__RCSID("$NetBSD: rumpuser_sp.c,v 1.76 2020/05/06 07:25:26 kamil Exp $");
|
||||
__RCSID("$NetBSD: rumpuser_sp.c,v 1.77 2020/05/06 12:44:36 christos Exp $");
|
||||
#endif /* !lint */
|
||||
|
||||
#include <sys/types.h>
|
||||
|
@ -699,10 +699,8 @@ serv_handlesyscall(struct spclient *spc, struct rsp_hdr *rhdr, uint8_t *data)
|
|||
}
|
||||
|
||||
static void
|
||||
serv_handleexec(struct spclient *spc, struct rsp_hdr *rhdr, char *comm)
|
||||
serv_handleexec(struct spclient *spc, struct rsp_hdr *rhdr, const char *comm)
|
||||
{
|
||||
size_t commlen = rhdr->rsp_len - HDRSZ;
|
||||
|
||||
pthread_mutex_lock(&spc->spc_mtx);
|
||||
/* one for the connection and one for us */
|
||||
while (spc->spc_refcnt > 2)
|
||||
|
@ -715,14 +713,6 @@ serv_handleexec(struct spclient *spc, struct rsp_hdr *rhdr, char *comm)
|
|||
* very much). proceed with exec.
|
||||
*/
|
||||
|
||||
#if 0 /* XXX triggers buffer overflow */
|
||||
/* ensure comm is 0-terminated */
|
||||
/* TODO: make sure it contains sensible chars? */
|
||||
comm[commlen] = '\0';
|
||||
#else
|
||||
(void)commlen;
|
||||
#endif
|
||||
|
||||
lwproc_switch(spc->spc_mainlwp);
|
||||
lwproc_execnotify(comm);
|
||||
lwproc_switch(NULL);
|
||||
|
@ -980,22 +970,11 @@ handlereq(struct spclient *spc)
|
|||
}
|
||||
|
||||
if (spc->spc_hdr.rsp_handshake == HANDSHAKE_GUEST) {
|
||||
char *comm = (char *)spc->spc_buf;
|
||||
size_t commlen = spc->spc_hdr.rsp_len - HDRSZ;
|
||||
|
||||
#if 0 /* XXX triggers buffer overflow */
|
||||
/* ensure it's 0-terminated */
|
||||
/* XXX make sure it contains sensible chars? */
|
||||
comm[commlen] = '\0';
|
||||
#else
|
||||
(void)commlen;
|
||||
#endif
|
||||
|
||||
/* make sure we fork off of proc1 */
|
||||
_DIAGASSERT(lwproc_curlwp() == NULL);
|
||||
|
||||
if ((error = lwproc_rfork(spc,
|
||||
RUMP_RFFD_CLEAR, comm)) != 0) {
|
||||
if ((error = lwproc_rfork(spc, RUMP_RFFD_CLEAR,
|
||||
(const char *)spc->spc_buf)) != 0) {
|
||||
shutdown(spc->spc_fd, SHUT_RDWR);
|
||||
}
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: sp_common.c,v 1.40 2020/03/24 01:13:41 kamil Exp $ */
|
||||
/* $NetBSD: sp_common.c,v 1.41 2020/05/06 12:44:36 christos Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2010, 2011 Antti Kantee. All Rights Reserved.
|
||||
|
@ -502,11 +502,12 @@ readframe(struct spclient *spc)
|
|||
return 1;
|
||||
}
|
||||
|
||||
spc->spc_buf = malloc(framelen - HDRSZ);
|
||||
/* Add an extra byte so that we are always NUL-terminated */
|
||||
spc->spc_buf = malloc(framelen - HDRSZ + 1);
|
||||
if (spc->spc_buf == NULL) {
|
||||
return -1;
|
||||
}
|
||||
memset(spc->spc_buf, 0, framelen - HDRSZ);
|
||||
memset(spc->spc_buf, 0, framelen - HDRSZ + 1);
|
||||
|
||||
/* "fallthrough" */
|
||||
} else {
|
||||
|
|
Loading…
Reference in New Issue