lib/port.c: getportent(): Make sure the aren't too many fields in the CSV

Otherwise, the line is invalidly formatted, and we ignore it.

Detailed explanation:

There are two conditions on which we break out of the loops that precede
these added checks:

-  j is too big (we've exhausted the space in the static arrays)

	$ grep -r -e PORT_TTY -e PORT_IDS lib/port.*
	lib/port.c:	static char *ttys[PORT_TTY + 1];	/* some pointers to tty names     */
	lib/port.c:	static char *users[PORT_IDS + 1];	/* some pointers to user ids     */
	lib/port.c:	for (cp = buf, j = 0; j < PORT_TTY; j++) {
	lib/port.c:			if ((',' == *cp) && (j < PORT_IDS)) {
	lib/port.h: * PORT_IDS - Allowable number of IDs per entry.
	lib/port.h: * PORT_TTY - Allowable number of TTYs per entry.
	lib/port.h:#define	PORT_IDS	64
	lib/port.h:#define	PORT_TTY	64

-  strpbrk(3) found a ':', which signals the end of the comma-sepatated
   list, and the start of the next colon-separated field.

If the first character in the remainder of the string is not a ':', it
means we've exhausted the array size, but the CSV list was longer, so
we'd be truncating it.  Consider the entire line invalid, and skip it.

Signed-off-by: Alejandro Colomar <alx@kernel.org>

diff --git a/lib/port.c b/lib/port.c
index cac4ba44f0051181440b81f5e7c0c5067c5483b0..32bb0802531b324d2694ceeb02444a7ba7b8fd15 100644 (file)
--- a/lib/port.c
+++ b/lib/port.c
@@ -159,6 +159,9 @@ next:
                if (',' == *cp)         /* end of current tty name */
                        stpcpy(cp++, "");
        }
+       if (':' != *cp)
+               goto next;
+
        stpcpy(cp++, "");
        port.pt_names[j] = NULL;
 
@@ -187,10 +190,8 @@ next:
        } else {
                port.pt_users = 0;
        }
-
-       if (':' != *cp) {
+       if (':' != *cp)
                goto next;
-       }
 
        stpcpy(cp++, "");