git.openwrt.org Git - project/uci.git/commit

author	Hauke Mehrtens <hauke@hauke-m.de>
	Sun, 4 Oct 2020 15:14:49 +0000 (17:14 +0200)
committer	Petr Štetiar <ynezz@true.cz>
	Tue, 6 Oct 2020 06:33:57 +0000 (08:33 +0200)
commit	eae126f66663e5c73e5d290b8e3134449489340f
tree	0d098c9e65219d82628a6095d52dc7c8abede071	tree \| snapshot
parent	7f574273180ac940c57da0f28c26a5274c165e48	commit \| diff

file: Check buffer size after strtok()

This fixes a heap overflow in the parsing of the uci line.

The line which is parsed and put into pctx->buf is null terminated and
stored on the heap. In the uci_parse_line() function we use strtok() to
split this string in multiple parts after divided by a space or tab.
strtok() replaces these characters with a NULL byte. If the next byte is
NULL we assume that this NULL byte was added by strtok() and try to
parse the string after this NULL byte. If this NULL byte was not added
by strtok(), but by fgets() to mark the end of the string we would read
over this end of the string in uninitialized memory and later over the
allocated buffer.

Fix this problem by storing how long the line we read was and check if
we would read over the end of the string here.

This also adds the input which detected this crash to the corpus of the
fuzzer.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
[fixed merge conflict in tests]
Signed-off-by: Petr Štetiar <ynezz@true.cz>

file.c		diff \| blob \| history
tests/cram/test-san_uci_import.t		diff \| blob \| history
tests/cram/test_uci_import.t		diff \| blob \| history
tests/fuzz/corpus/2e18ecc3a759dedc9357b1298e9269eccc5c5a6b	[new file with mode: 0644]	blob
uci_internal.h		diff \| blob \| history