ALT Linux Bugzilla
– Attachment 2738 Details for
Bug 15284
Buffer overflow in match_datestamp()
New bug
|
Search
|
[?]
|
Help
Register
|
Log In
[x]
|
Forgot Password
Login:
[x]
|
EN
|
RU
[patch]
diff из апстрима
match.c.diff (text/plain), 2.71 KB, created by
Slava Semushin
on 2008-08-01 10:46:20 MSD
(
hide
)
Description:
diff из апстрима
Filename:
MIME Type:
Creator:
Slava Semushin
Created:
2008-08-01 10:46:20 MSD
Size:
2.71 KB
patch
obsolete
>--- amanda/trunk/common-src/match.c 2007/05/22 19:20:27 347 >+++ amanda/trunk/common-src/match.c 2008/06/30 18:14:06 1155 >@@ -530,6 +530,17 @@ > return match_word(glob, disk, '/'); > } > >+static int >+alldigits( >+ const char *str) >+{ >+ while (*str) { >+ if (!isdigit((int)*(str++))) >+ return 0; >+ } >+ return 1; >+} >+ > int > match_datestamp( > const char * dateexp, >@@ -543,45 +554,56 @@ > int match_exact; > > if(strlen(dateexp) >= 100 || strlen(dateexp) < 1) { >- error(_("Illegal datestamp expression %s"),dateexp); >- /*NOTREACHED*/ >+ goto illegal; > } > >+ /* strip and ignore an initial "^" */ > if(dateexp[0] == '^') { >- strncpy(mydateexp, dateexp+1, strlen(dateexp)-1); >- mydateexp[strlen(dateexp)-1] = '\0'; >+ strncpy(mydateexp, dateexp+1, sizeof(mydateexp)-1); >+ mydateexp[sizeof(mydateexp)-1] = '\0'; > } > else { >- strncpy(mydateexp, dateexp, strlen(dateexp)); >- mydateexp[strlen(dateexp)] = '\0'; >+ strncpy(mydateexp, dateexp, sizeof(mydateexp)-1); >+ mydateexp[sizeof(mydateexp)] = '\0'; > } > >- if(mydateexp[strlen(mydateexp)] == '$') { >+ if(mydateexp[strlen(mydateexp)-1] == '$') { > match_exact = 1; >- mydateexp[strlen(mydateexp)] = '\0'; >+ mydateexp[strlen(mydateexp)-1] = '\0'; /* strip the trailing $ */ > } > else > match_exact = 0; > >+ /* a single dash represents a date range */ > if((dash = strchr(mydateexp,'-'))) { >- if(match_exact == 1) { >- error(_("Illegal datestamp expression %s"),dateexp); >- /*NOTREACHED*/ >+ if(match_exact == 1 || strchr(dash+1, '-')) { >+ goto illegal; > } >- len = (size_t)(dash - mydateexp); >- len_suffix = strlen(dash) - 1; >- len_prefix = len - len_suffix; >+ >+ /* format: XXXYYYY-ZZZZ, indicating dates XXXYYYY to XXXZZZZ */ >+ >+ len = (size_t)(dash - mydateexp); /* length of XXXYYYY */ >+ len_suffix = strlen(dash) - 1; /* length of ZZZZ */ >+ if (len_suffix > len) goto illegal; >+ len_prefix = len - len_suffix; /* length of XXX */ > > dash++; >+ > strncpy(firstdate, mydateexp, len); > firstdate[len] = '\0'; > strncpy(lastdate, mydateexp, len_prefix); > strncpy(&(lastdate[len_prefix]), dash, len_suffix); > lastdate[len] = '\0'; >+ if (!alldigits(firstdate) || !alldigits(lastdate)) >+ goto illegal; >+ if (strncmp(firstdate, lastdate, strlen(firstdate)) > 0) >+ goto illegal; > return ((strncmp(datestamp, firstdate, strlen(firstdate)) >= 0) && > (strncmp(datestamp, lastdate , strlen(lastdate)) <= 0)); > } > else { >+ if (!alldigits(mydateexp)) >+ goto illegal; > if(match_exact == 1) { > return (strcmp(datestamp, mydateexp) == 0); > } >@@ -589,6 +611,9 @@ > return (strncmp(datestamp, mydateexp, strlen(mydateexp)) == 0); > } > } >+illegal: >+ error(_("Illegal datestamp expression %s"),dateexp); >+ /*NOTREACHED*/ > } > >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 15284
: 2738