diff options
| author | Jaikumar Ganesh <jaikumar@google.com> | 2011-03-08 16:51:12 -0800 |
|---|---|---|
| committer | Jaikumar Ganesh <jaikumar@google.com> | 2011-03-28 11:10:44 -0700 |
| commit | 02e98694ef87ea8ecb47789abf89c3f945ee0e20 (patch) | |
| tree | 43393a68df4b5a04ac9eba4d877bddcaa0784077 | |
| parent | 742127bfafed8592303b11c44e614821db8042d8 (diff) | |
| download | bluez-gingerbread.tar.gz | |
Fix bluetooth fails to turn on issue.android-sdk-2.3.4_r1android-cts-2.3_r5android-cts-2.3_r4android-cts-2.3_r3android-cts-2.3_r12android-cts-2.3_r11android-cts-2.3_r10android-2.3.7_r1android-2.3.6_r1android-2.3.6_r0.9android-2.3.5_r1android-2.3.4_r1android-2.3.4_r0.9gingerbread-releasegingerbread-mr4-releasegingerbread
Bug: 4062227
Original author: Luiz Augusto von Dentz <luiz.dentz-von@nokia.com>
Cherry-picked from upstream Bluez.
Fix crash when mmaping files which size is multiple of page size
In this case the buffer returned by mmap is not NULL terminated so
functions like strpbrk that expect a string goes out of bounds.
To fix this strpbrk_len was introduced which takes the size of the buffer
making sure it never goes out of bounds.
Change-Id: I1376613dbb3fe09b89c2f7417c1bd4a8c669b674
| -rw-r--r-- | src/textfile.c | 38 |
1 files changed, 33 insertions, 5 deletions
diff --git a/src/textfile.c b/src/textfile.c index b1722c82..bba7d081 100644 --- a/src/textfile.c +++ b/src/textfile.c @@ -160,6 +160,28 @@ static inline int write_key_value(int fd, const char *key, const char *value) return err; } +static char *strnpbrk(const char *s, ssize_t len, const char *accept) +{ + const char *p = s; + const char *end; + + end = s + len - 1; + + while (p <= end && *p) { + const char *a = accept; + + while (*a) { + if (*p == *a) + return (char *) p; + a++; + } + + p++; + } + + return NULL; +} + static int write_key(const char *pathname, const char *key, const char *value, int icase) { struct stat st; @@ -211,7 +233,7 @@ static int write_key(const char *pathname, const char *key, const char *value, i base = off - map; - end = strpbrk(off, "\r\n"); + end = strnpbrk(off, size, "\r\n"); if (!end) { err = EILSEQ; goto unmap; @@ -319,7 +341,7 @@ static char *read_key(const char *pathname, const char *key, int icase) goto unmap; } - end = strpbrk(off, "\r\n"); + end = strnpbrk(off, size - (map - off), "\r\n"); if (!end) { err = EILSEQ; goto unmap; @@ -409,8 +431,8 @@ int textfile_foreach(const char *pathname, off = map; - while (1) { - end = strpbrk(off, " "); + while (size - (off - map) > 0) { + end = strnpbrk(off, size - (off - map), " "); if (!end) { err = EILSEQ; break; @@ -429,7 +451,13 @@ int textfile_foreach(const char *pathname, off = end + 1; - end = strpbrk(off, "\r\n"); + if (size - (off - map) < 0) { + err = EILSEQ; + free(key); + break; + } + + end = strnpbrk(off, size - (off - map), "\r\n"); if (!end) { err = EILSEQ; free(key); |