about summary refs log tree commit diff
path: root/misc/tst-mntent-blank-corrupt.c
diff options
context:
space:
mode:
authorMike Frysinger <vapier@gentoo.org>2015-08-28 17:08:49 -0400
committerMike Frysinger <vapier@gentoo.org>2015-08-29 18:07:00 -0400
commitb0e805fa0d6fea33745952df7b7f5442ca4c374f (patch)
tree1912c70048e9a9a4a48681f37d0dd692265cd693 /misc/tst-mntent-blank-corrupt.c
parent30da407eca459329e060d0412c3fa6710f657e83 (diff)
downloadglibc-b0e805fa0d6fea33745952df7b7f5442ca4c374f.tar.gz
glibc-b0e805fa0d6fea33745952df7b7f5442ca4c374f.tar.xz
glibc-b0e805fa0d6fea33745952df7b7f5442ca4c374f.zip
getmntent: fix memory corruption w/blank lines [BZ #18887]
The fix for BZ #17273 introduced a single byte of memory corruption when
the line is entirely blank.  It would walk back past the start of the
buffer if the heap happened to be 0x20 or 0x09 and then write a NUL byte.
	buffer = '\n';
	end_ptr = buffer;
	while (end_ptr[-1] == ' ' || end_ptr[-1] == '\t')
		end_ptr--;
	*end_ptr = '\0';

Fix that and rework the tests.  Adding the testcase for BZ #17273 to the
existing \040 parser does not really make sense as it's unrelated, and
leads to confusing behavior: it implicitly relies on the new entry being
longer than the previous entry (since it just rewinds the FILE*).  Split
it out into its own dedicated testcase instead.
Diffstat (limited to 'misc/tst-mntent-blank-corrupt.c')
-rw-r--r--misc/tst-mntent-blank-corrupt.c45
1 files changed, 45 insertions, 0 deletions
diff --git a/misc/tst-mntent-blank-corrupt.c b/misc/tst-mntent-blank-corrupt.c
new file mode 100644
index 0000000000..92266a35b5
--- /dev/null
+++ b/misc/tst-mntent-blank-corrupt.c
@@ -0,0 +1,45 @@
+/* Make sure blank lines does not cause memory corruption BZ #18887.
+
+   Copyright (C) 2009-2015 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+#include <mntent.h>
+#include <stdio.h>
+#include <string.h>
+
+/* Make sure blank lines don't trigger memory corruption.  This doesn't happen
+   for all targets though, so it's a best effort test BZ #18887.  */
+static int
+do_test (void)
+{
+  FILE *fp;
+
+  fp = tmpfile ();
+  fputs ("\n \n/foo\\040dir /bar\\040dir auto bind \t \n", fp);
+  rewind (fp);
+
+  /* The corruption happens here ...  */
+  getmntent (fp);
+  /* ... but trigers here.  */
+  endmntent (fp);
+
+  /* If the test failed, we would crash, and not hit this point.  */
+  return 0;
+}
+
+#define TEST_FUNCTION do_test ()
+#include "../test-skeleton.c"