* libc/bsdlib.cc (forkpty): Close master and slave if fork fails to

avoid resource leak (CID 59997).
	* libc/fts.c: Update to FreeBSD version 1.39 (CID 59947).
	* libc/minires.c (minires_get_search): Fix out-of-bounds read from
	words array (CID 59937).
This commit is contained in:
Corinna Vinschen 2014-05-22 09:45:17 +00:00
parent 59ce289027
commit ed2cfab440
4 changed files with 85 additions and 111 deletions

View File

@ -1,3 +1,11 @@
2014-05-20 Corinna Vinschen <corinna@vinschen.de>
* libc/bsdlib.cc (forkpty): Close master and slave if fork fails to
avoid resource leak (CID 59997).
* libc/fts.c: Update to FreeBSD version 1.39 (CID 59947).
* libc/minires.c (minires_get_search): Fix out-of-bounds read from
words array (CID 59937).
2014-05-20 Corinna Vinschen <corinna@vinschen.de> 2014-05-20 Corinna Vinschen <corinna@vinschen.de>
* flock.cc (delete_lock_in_parent): Use LIST_FOREACH_SAFE to avoid * flock.cc (delete_lock_in_parent): Use LIST_FOREACH_SAFE to avoid

View File

@ -150,6 +150,8 @@ forkpty (int *amaster, char *name, const struct termios *termp,
switch (pid = fork ()) switch (pid = fork ())
{ {
case -1: case -1:
close (master);
close (slave);
return -1; return -1;
case 0: case 0:
close (master); close (master);

View File

@ -34,14 +34,9 @@
static char sccsid[] = "@(#)fts.c 8.6 (Berkeley) 8/14/94"; static char sccsid[] = "@(#)fts.c 8.6 (Berkeley) 8/14/94";
#endif /* LIBC_SCCS and not lint */ #endif /* LIBC_SCCS and not lint */
#endif #endif
#ifdef __CYGWIN__
#include "winsup.h"
#include <sys/statfs.h>
#define _open open
#define _close close
#endif
#include <sys/cdefs.h> #include <sys/cdefs.h>
__FBSDID("$FreeBSD: /repoman/r/ncvs/src/lib/libc/gen/fts.c,v 1.27 2004/06/08 06:23:23 das Exp $"); __FBSDID("$FreeBSD: src/lib/libc/gen/fts.c,v 1.39 2013/02/11 02:00:16 svnexp Exp $");
#ifndef __CYGWIN__ #ifndef __CYGWIN__
#include "namespace.h" #include "namespace.h"
@ -57,19 +52,37 @@ __FBSDID("$FreeBSD: /repoman/r/ncvs/src/lib/libc/gen/fts.c,v 1.27 2004/06/08 06:
#include <stdlib.h> #include <stdlib.h>
#include <string.h> #include <string.h>
#include <unistd.h> #include <unistd.h>
#ifndef __CYGWIN__ #ifdef __CYGWIN__
#include "winsup.h"
#include <sys/statfs.h>
#define _open open
#define _close close
#define _dirfd dirfd
#ifdef __x86_64__
#define _fstat fstat
#else
extern int stat64 (const char *path, struct stat *buf);
extern int fstat64 (int fd, struct stat *buf);
extern int lstat64 (const char *path, struct stat *buf);
#define stat(a,b) stat64((a),(b))
#define _fstat(a,b) fstat64((a),(b))
#define lstat(a,b) lstat64((a),(b))
#endif
#else
#include "un-namespace.h" #include "un-namespace.h"
#include "gen-private.h"
#endif #endif
static FTSENT *fts_alloc(FTS *, const char *, int); static FTSENT *fts_alloc(FTS *, const char *, size_t);
static FTSENT *fts_build(FTS *, int); static FTSENT *fts_build(FTS *, int);
static void fts_lfree(FTSENT *); static void fts_lfree(FTSENT *);
static void fts_load(FTS *, FTSENT *); static void fts_load(FTS *, FTSENT *);
static size_t fts_maxarglen(char * const *); static size_t fts_maxarglen(char * const *);
static void fts_padjust(FTS *, FTSENT *); static void fts_padjust(FTS *, FTSENT *);
static int fts_palloc(FTS *, size_t); static int fts_palloc(FTS *, size_t);
static FTSENT *fts_sort(FTS *, FTSENT *, int); static FTSENT *fts_sort(FTS *, FTSENT *, size_t);
static u_short fts_stat(FTS *, FTSENT *, int); static int fts_stat(FTS *, FTSENT *, int);
static int fts_safe_changedir(FTS *, FTSENT *, int, const char *); static int fts_safe_changedir(FTS *, FTSENT *, int, const char *);
static int fts_ufslinks(FTS *, const FTSENT *); static int fts_ufslinks(FTS *, const FTSENT *);
@ -110,6 +123,7 @@ struct _fts_private {
#ifndef __CYGWIN__ #ifndef __CYGWIN__
static const char *ufslike_filesystems[] = { static const char *ufslike_filesystems[] = {
"ufs", "ufs",
"zfs",
"nfs", "nfs",
"nfs4", "nfs4",
"ext2fs", "ext2fs",
@ -126,9 +140,8 @@ fts_open(argv, options, compar)
struct _fts_private *priv; struct _fts_private *priv;
FTS *sp; FTS *sp;
FTSENT *p, *root; FTSENT *p, *root;
int nitems;
FTSENT *parent, *tmp; FTSENT *parent, *tmp;
int len; size_t len, nitems;
/* Options check. */ /* Options check. */
if (options & ~FTS_OPTIONMASK) { if (options & ~FTS_OPTIONMASK) {
@ -136,10 +149,15 @@ fts_open(argv, options, compar)
return (NULL); return (NULL);
} }
/* Allocate/initialize the stream. */ /* fts_open() requires at least one path */
if ((priv = malloc(sizeof(*priv))) == NULL) if (*argv == NULL) {
errno = EINVAL;
return (NULL);
}
/* Allocate/initialize the stream. */
if ((priv = calloc(1, sizeof(*priv))) == NULL)
return (NULL); return (NULL);
memset(priv, 0, sizeof(*priv));
sp = &priv->ftsp_fts; sp = &priv->ftsp_fts;
sp->fts_compar = compar; sp->fts_compar = compar;
sp->fts_options = options; sp->fts_options = options;
@ -218,7 +236,8 @@ fts_open(argv, options, compar)
* and ".." are all fairly nasty problems. Note, if we can't get the * and ".." are all fairly nasty problems. Note, if we can't get the
* descriptor we run anyway, just more slowly. * descriptor we run anyway, just more slowly.
*/ */
if (!ISSET(FTS_NOCHDIR) && (sp->fts_rfd = _open(".", O_RDONLY, 0)) < 0) if (!ISSET(FTS_NOCHDIR) &&
(sp->fts_rfd = _open(".", O_RDONLY | O_CLOEXEC, 0)) < 0)
SET(FTS_NOCHDIR); SET(FTS_NOCHDIR);
return (sp); return (sp);
@ -231,11 +250,9 @@ mem1: free(sp);
} }
static void static void
fts_load(sp, p) fts_load(FTS *sp, FTSENT *p)
FTS *sp;
FTSENT *p;
{ {
int len; size_t len;
char *cp; char *cp;
/* /*
@ -257,8 +274,7 @@ fts_load(sp, p)
} }
int int
fts_close(sp) fts_close(FTS *sp)
FTS *sp;
{ {
FTSENT *freep, *p; FTSENT *freep, *p;
int saved_errno; int saved_errno;
@ -312,8 +328,7 @@ fts_close(sp)
? p->fts_pathlen - 1 : p->fts_pathlen) ? p->fts_pathlen - 1 : p->fts_pathlen)
FTSENT * FTSENT *
fts_read(sp) fts_read(FTS *sp)
FTS *sp;
{ {
FTSENT *p, *tmp; FTSENT *p, *tmp;
int instr; int instr;
@ -347,7 +362,8 @@ fts_read(sp)
(p->fts_info == FTS_SL || p->fts_info == FTS_SLNONE)) { (p->fts_info == FTS_SL || p->fts_info == FTS_SLNONE)) {
p->fts_info = fts_stat(sp, p, 1); p->fts_info = fts_stat(sp, p, 1);
if (p->fts_info == FTS_D && !ISSET(FTS_NOCHDIR)) { if (p->fts_info == FTS_D && !ISSET(FTS_NOCHDIR)) {
if ((p->fts_symfd = _open(".", O_RDONLY, 0)) < 0) { if ((p->fts_symfd = _open(".", O_RDONLY | O_CLOEXEC,
0)) < 0) {
p->fts_errno = errno; p->fts_errno = errno;
p->fts_info = FTS_ERR; p->fts_info = FTS_ERR;
} else } else
@ -438,7 +454,7 @@ next: tmp = p;
p->fts_info = fts_stat(sp, p, 1); p->fts_info = fts_stat(sp, p, 1);
if (p->fts_info == FTS_D && !ISSET(FTS_NOCHDIR)) { if (p->fts_info == FTS_D && !ISSET(FTS_NOCHDIR)) {
if ((p->fts_symfd = if ((p->fts_symfd =
_open(".", O_RDONLY, 0)) < 0) { _open(".", O_RDONLY | O_CLOEXEC, 0)) < 0) {
p->fts_errno = errno; p->fts_errno = errno;
p->fts_info = FTS_ERR; p->fts_info = FTS_ERR;
} else } else
@ -506,10 +522,7 @@ name: t = sp->fts_path + NAPPEND(p->fts_parent);
*/ */
/* ARGSUSED */ /* ARGSUSED */
int int
fts_set(sp, p, instr) fts_set(FTS *sp, FTSENT *p, int instr)
FTS *sp __attribute__ ((unused));
FTSENT *p;
int instr;
{ {
if (instr != 0 && instr != FTS_AGAIN && instr != FTS_FOLLOW && if (instr != 0 && instr != FTS_AGAIN && instr != FTS_FOLLOW &&
instr != FTS_NOINSTR && instr != FTS_SKIP) { instr != FTS_NOINSTR && instr != FTS_SKIP) {
@ -521,9 +534,7 @@ fts_set(sp, p, instr)
} }
FTSENT * FTSENT *
fts_children(sp, instr) fts_children(FTS *sp, int instr)
FTS *sp;
int instr;
{ {
FTSENT *p; FTSENT *p;
int fd; int fd;
@ -579,11 +590,13 @@ fts_children(sp, instr)
ISSET(FTS_NOCHDIR)) ISSET(FTS_NOCHDIR))
return (sp->fts_child = fts_build(sp, instr)); return (sp->fts_child = fts_build(sp, instr));
if ((fd = _open(".", O_RDONLY, 0)) < 0) if ((fd = _open(".", O_RDONLY | O_CLOEXEC, 0)) < 0)
return (NULL); return (NULL);
sp->fts_child = fts_build(sp, instr); sp->fts_child = fts_build(sp, instr);
if (fchdir(fd)) if (fchdir(fd)) {
(void)_close(fd);
return (NULL); return (NULL);
}
(void)_close(fd); (void)_close(fd);
return (sp->fts_child); return (sp->fts_child);
} }
@ -631,20 +644,18 @@ fts_set_clientptr(FTS *sp, void *clientptr)
* been found, cutting the stat calls by about 2/3. * been found, cutting the stat calls by about 2/3.
*/ */
static FTSENT * static FTSENT *
fts_build(sp, type) fts_build(FTS *sp, int type)
FTS *sp;
int type;
{ {
struct dirent *dp; struct dirent *dp;
FTSENT *p, *head; FTSENT *p, *head;
int nitems;
FTSENT *cur, *tail; FTSENT *cur, *tail;
DIR *dirp; DIR *dirp;
void *oldaddr; void *oldaddr;
size_t dnamlen;
int cderrno, descend, len, level, maxlen, nlinks, /*oflag,*/ saved_errno,
nostat, doadjust;
char *cp; char *cp;
int cderrno, descend, /* oflag, */ saved_errno, nostat, doadjust;
long level;
long nlinks; /* has to be signed because -1 is a magic value */
size_t dnamlen, len, maxlen, nitems;
/* Set current node pointer. */ /* Set current node pointer. */
cur = sp->fts_cur; cur = sp->fts_cur;
@ -711,7 +722,7 @@ fts_build(sp, type)
*/ */
cderrno = 0; cderrno = 0;
if (nlinks || type == BREAD) { if (nlinks || type == BREAD) {
if (fts_safe_changedir(sp, cur, dirfd(dirp), NULL)) { if (fts_safe_changedir(sp, cur, _dirfd(dirp), NULL)) {
if (nlinks && type == BREAD) if (nlinks && type == BREAD)
cur->fts_errno = errno; cur->fts_errno = errno;
cur->fts_flags |= FTS_DONTCHDIR; cur->fts_flags |= FTS_DONTCHDIR;
@ -756,9 +767,9 @@ fts_build(sp, type)
if (!ISSET(FTS_SEEDOT) && ISDOT(dp->d_name)) if (!ISSET(FTS_SEEDOT) && ISDOT(dp->d_name))
continue; continue;
if ((p = fts_alloc(sp, dp->d_name, (int)dnamlen)) == NULL) if ((p = fts_alloc(sp, dp->d_name, dnamlen)) == NULL)
goto mem1; goto mem1;
if ((int) dnamlen >= maxlen) { /* include space for NUL */ if (dnamlen >= maxlen) { /* include space for NUL */
oldaddr = sp->fts_path; oldaddr = sp->fts_path;
if (fts_palloc(sp, dnamlen + len + 1)) { if (fts_palloc(sp, dnamlen + len + 1)) {
/* /*
@ -785,21 +796,6 @@ mem1: saved_errno = errno;
maxlen = sp->fts_pathlen - len; maxlen = sp->fts_pathlen - len;
} }
if (len + dnamlen >= USHRT_MAX) {
/*
* In an FTSENT, fts_pathlen is a u_short so it is
* possible to wraparound here. If we do, free up
* the current structure and the structures already
* allocated, then error out with ENAMETOOLONG.
*/
free(p);
fts_lfree(head);
(void)closedir(dirp);
cur->fts_info = FTS_ERR;
SET(FTS_STOP);
errno = ENAMETOOLONG;
return (NULL);
}
p->fts_level = level; p->fts_level = level;
p->fts_parent = sp->fts_cur; p->fts_parent = sp->fts_cur;
p->fts_pathlen = len + dnamlen; p->fts_pathlen = len + dnamlen;
@ -817,7 +813,7 @@ mem1: saved_errno = errno;
p->fts_info = FTS_NSOK; p->fts_info = FTS_NSOK;
p->fts_accpath = cur->fts_accpath; p->fts_accpath = cur->fts_accpath;
} else if (nlinks == 0 } else if (nlinks == 0
#if defined(DT_DIR) #ifdef DT_DIR
|| (nostat && || (nostat &&
dp->d_type != DT_DIR && dp->d_type != DT_UNKNOWN) dp->d_type != DT_DIR && dp->d_type != DT_UNKNOWN)
#endif #endif
@ -865,11 +861,8 @@ mem1: saved_errno = errno;
* If not changing directories, reset the path back to original * If not changing directories, reset the path back to original
* state. * state.
*/ */
if (ISSET(FTS_NOCHDIR)) { if (ISSET(FTS_NOCHDIR))
if (len == sp->fts_pathlen || nitems == 0) sp->fts_path[cur->fts_pathlen] = '\0';
--cp;
*cp = '\0';
}
/* /*
* If descended after called from fts_children or after called from * If descended after called from fts_children or after called from
@ -900,11 +893,8 @@ mem1: saved_errno = errno;
return (head); return (head);
} }
static u_short static int
fts_stat(sp, p, follow) fts_stat(FTS *sp, FTSENT *p, int follow)
FTS *sp;
FTSENT *p;
int follow;
{ {
FTSENT *t; FTSENT *t;
dev_t dev; dev_t dev;
@ -932,16 +922,16 @@ fts_stat(sp, p, follow)
* fail, set the errno from the stat call. * fail, set the errno from the stat call.
*/ */
if (ISSET(FTS_LOGICAL) || follow) { if (ISSET(FTS_LOGICAL) || follow) {
if (stat64(p->fts_accpath, sbp)) { if (stat(p->fts_accpath, sbp)) {
saved_errno = errno; saved_errno = errno;
if (!lstat64(p->fts_accpath, sbp)) { if (!lstat(p->fts_accpath, sbp)) {
errno = 0; errno = 0;
return (FTS_SLNONE); return (FTS_SLNONE);
} }
p->fts_errno = saved_errno; p->fts_errno = saved_errno;
goto err; goto err;
} }
} else if (lstat64(p->fts_accpath, sbp)) { } else if (lstat(p->fts_accpath, sbp)) {
p->fts_errno = errno; p->fts_errno = errno;
err: memset(sbp, 0, sizeof(struct stat)); err: memset(sbp, 0, sizeof(struct stat));
return (FTS_NS); return (FTS_NS);
@ -999,10 +989,7 @@ fts_compar(const void *a, const void *b)
} }
static FTSENT * static FTSENT *
fts_sort(sp, head, nitems) fts_sort(FTS *sp, FTSENT *head, size_t nitems)
FTS *sp;
FTSENT *head;
int nitems;
{ {
FTSENT **ap, *p; FTSENT **ap, *p;
@ -1031,10 +1018,7 @@ fts_sort(sp, head, nitems)
} }
static FTSENT * static FTSENT *
fts_alloc(sp, name, namelen) fts_alloc(FTS *sp, const char *name, size_t namelen)
FTS *sp;
const char *name;
int namelen;
{ {
FTSENT *p; FTSENT *p;
size_t len; size_t len;
@ -1081,8 +1065,7 @@ fts_alloc(sp, name, namelen)
} }
static void static void
fts_lfree(head) fts_lfree(FTSENT *head)
FTSENT *head;
{ {
FTSENT *p; FTSENT *p;
@ -1100,24 +1083,10 @@ fts_lfree(head)
* plus 256 bytes so don't realloc the path 2 bytes at a time. * plus 256 bytes so don't realloc the path 2 bytes at a time.
*/ */
static int static int
fts_palloc(sp, more) fts_palloc(FTS *sp, size_t more)
FTS *sp;
size_t more;
{ {
sp->fts_pathlen += more + 256; sp->fts_pathlen += more + 256;
/*
* Check for possible wraparound. In an FTS, fts_pathlen is
* a signed int but in an FTSENT it is an unsigned short.
* We limit fts_pathlen to USHRT_MAX to be safe in both cases.
*/
if (sp->fts_pathlen < 0 || sp->fts_pathlen >= USHRT_MAX) {
if (sp->fts_path)
free(sp->fts_path);
sp->fts_path = NULL;
errno = ENAMETOOLONG;
return (1);
}
sp->fts_path = reallocf(sp->fts_path, sp->fts_pathlen); sp->fts_path = reallocf(sp->fts_path, sp->fts_pathlen);
return (sp->fts_path == NULL); return (sp->fts_path == NULL);
} }
@ -1127,9 +1096,7 @@ fts_palloc(sp, more)
* already returned. * already returned.
*/ */
static void static void
fts_padjust(sp, head) fts_padjust(FTS *sp, FTSENT *head)
FTS *sp;
FTSENT *head;
{ {
FTSENT *p; FTSENT *p;
char *addr = sp->fts_path; char *addr = sp->fts_path;
@ -1170,11 +1137,7 @@ fts_maxarglen(argv)
* Assumes p->fts_dev and p->fts_ino are filled in. * Assumes p->fts_dev and p->fts_ino are filled in.
*/ */
static int static int
fts_safe_changedir(sp, p, fd, path) fts_safe_changedir(FTS *sp, FTSENT *p, int fd, const char *path)
FTS *sp;
FTSENT *p;
int fd;
const char *path;
{ {
int ret, oerrno, newfd; int ret, oerrno, newfd;
struct stat sb; struct stat sb;
@ -1182,9 +1145,10 @@ fts_safe_changedir(sp, p, fd, path)
newfd = fd; newfd = fd;
if (ISSET(FTS_NOCHDIR)) if (ISSET(FTS_NOCHDIR))
return (0); return (0);
if (fd < 0 && (newfd = _open(path, O_RDONLY, 0)) < 0) if (fd < 0 && (newfd = _open(path, O_RDONLY | O_DIRECTORY |
O_CLOEXEC, 0)) < 0)
return (-1); return (-1);
if (fstat64(newfd, &sb)) { if (_fstat(newfd, &sb)) {
ret = -1; ret = -1;
goto bail; goto bail;
} }

View File

@ -77,7 +77,7 @@ void minires_get_search(char * string, res_state statp)
ptr += sizes[j]; ptr += sizes[j];
DPRINTF(debug, "search \"%s\"\n", words[j]); DPRINTF(debug, "search \"%s\"\n", words[j]);
} }
else else if (j < MAXDNSRCH + 1)
DPRINTF(debug, "no space for \"%s\"\n", words[j]); DPRINTF(debug, "no space for \"%s\"\n", words[j]);
} }
} }