From: John Wolfe <jwolfe@vmware.com>
Date: Fri, 22 Jan 2021 20:25:41 +0000 (-0800)
Subject: Invalid file name causes the VMX to crash in log file rotation
X-Git-Tag: stable-11.3.0~180
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5f8671ff14899d34f7abc07550812d5951e927b0;p=thirdparty%2Fopen-vm-tools.git

Invalid file name causes the VMX to crash in log file rotation

Parse the log file names without using sscanf.  This way no "%" in
a file name can look like a valid scanf directive.
---

diff --git a/open-vm-tools/lib/file/file.c b/open-vm-tools/lib/file/file.c
index ac84e1414..7500bbba3 100644
--- a/open-vm-tools/lib/file/file.c
+++ b/open-vm-tools/lib/file/file.c
@@ -68,6 +68,7 @@
 #include "vm_atomic.h"
 #include "fileLock.h"
 #include "userlock.h"
+#include "strutil.h"
 
 #include "unicodeOperations.h"
 
@@ -2444,7 +2445,6 @@ FileRotateByRenumber(const char *filePath,       // IN: full path to file
    uint32 nFound = 0;
    char *baseDir = NULL;
    char *baseName = NULL;
-   char *fmtString = NULL;
    char **fileList = NULL;
    char *fullPathNoExt = NULL;
    uint32 *fileNumbers = NULL;
@@ -2473,8 +2473,6 @@ FileRotateByRenumber(const char *filePath,       // IN: full path to file
       goto cleanup;
    }
 
-   fmtString = Str_SafeAsprintf(NULL, "%s-%%u%s%%n", baseName, ext);
-
    nrFiles = File_ListDirectory(baseDir, &fileList);
    if (nrFiles == -1) {
       Log(LGPFX" %s: failed to read the directory '%s'.\n", __FUNCTION__,
@@ -2484,16 +2482,39 @@ FileRotateByRenumber(const char *filePath,       // IN: full path to file
 
    fileNumbers = Util_SafeCalloc(nrFiles, sizeof(uint32));
 
+   /*
+    * Make sure the whole file name precisely matches what we expect before
+    * including in the list to be considered.
+    */
+
    for (i = 0; i < nrFiles; i++) {
-      uint32 curNr;
-      int bytesProcessed = 0;
+      if (StrUtil_StartsWith(fileList[i], baseName) &&
+          StrUtil_EndsWith(fileList[i], ext) &&
+          fileList[i][strlen(baseName)] == '-') {
+         uint32 curNr;
+         char *endNr = NULL;
+         size_t nrLen = strlen(fileList[i]) - strlen(baseName) - strlen(ext) - 1;
+         const char *nr = fileList[i] + strlen(baseName) + 1;
+
+         if (nrLen < 1) {  // Something must be present after the "-"
+            continue;
+         }
 
-      /*
-       * Make sure the whole file name matched what we expect for the file.
-       */
+         if (!isdigit(nr[0])) {  // "-' must immediately be followed by a digit
+            continue;
+         }
+
+         if (nr[0] == '0') {  // zero is invalid, as are leading zeros
+            continue;
+         }
+
+         errno = 0;
+         curNr = strtoul(nr, &endNr, 10);
+
+         if ((errno != 0) || (endNr - nr != nrLen)) {  // out of range; vmware-1C.log
+            continue;
+         }
 
-      if ((sscanf(fileList[i], fmtString, &curNr, &bytesProcessed) >= 1) &&
-          (bytesProcessed == strlen(fileList[i]))) {
          fileNumbers[nFound++] = curNr;
       }
 
@@ -2574,7 +2595,6 @@ FileRotateByRenumber(const char *filePath,       // IN: full path to file
   cleanup:
    Posix_Free(fileNumbers);
    Posix_Free(fileList);
-   Posix_Free(fmtString);
    Posix_Free(baseDir);
    Posix_Free(baseName);
    Posix_Free(fullPathNoExt);