From a198054456728ae3ea8565e11e636c759616ef9c Mon Sep 17 00:00:00 2001 From: Alejandro Colomar Date: Tue, 2 Jul 2024 14:51:04 +0200 Subject: [PATCH] lib/port.c: getportent(): Make sure the aren't too many fields in the CSV Otherwise, the line is invalidly formatted, and we ignore it. Detailed explanation: There are two conditions on which we break out of the loops that precede these added checks: - j is too big (we've exhausted the space in the static arrays) $ grep -r -e PORT_TTY -e PORT_IDS lib/port.* lib/port.c: static char *ttys[PORT_TTY + 1]; /* some pointers to tty names */ lib/port.c: static char *users[PORT_IDS + 1]; /* some pointers to user ids */ lib/port.c: for (cp = buf, j = 0; j < PORT_TTY; j++) { lib/port.c: if ((',' == *cp) && (j < PORT_IDS)) { lib/port.h: * PORT_IDS - Allowable number of IDs per entry. lib/port.h: * PORT_TTY - Allowable number of TTYs per entry. lib/port.h:#define PORT_IDS 64 lib/port.h:#define PORT_TTY 64 - strpbrk(3) found a ':', which signals the end of the comma-sepatated list, and the start of the next colon-separated field. If the first character in the remainder of the string is not a ':', it means we've exhausted the array size, but the CSV list was longer, so we'd be truncating it. Consider the entire line invalid, and skip it. Signed-off-by: Alejandro Colomar --- lib/port.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/lib/port.c b/lib/port.c index cac4ba44f..32bb08025 100644 --- a/lib/port.c +++ b/lib/port.c @@ -159,6 +159,9 @@ next: if (',' == *cp) /* end of current tty name */ stpcpy(cp++, ""); } + if (':' != *cp) + goto next; + stpcpy(cp++, ""); port.pt_names[j] = NULL; @@ -187,10 +190,8 @@ next: } else { port.pt_users = 0; } - - if (':' != *cp) { + if (':' != *cp) goto next; - } stpcpy(cp++, ""); -- 2.47.3