From 29328cbda5daea22f02e4ca94ca75783f22efc61 Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>

Date: Sun, 29 Sep 2013 14:40:58 +0200

Subject: [PATCH] Fix buffer overrun when enumerating files

https://bugs.freedesktop.org/show_bug.cgi?id=69887

Based-on-a-patch-by: Hans Petter Jansson <hpj@copyleft.no>

---

 src/shared/util.c    | 79 +++++++++++++++++-----------------------------------

 src/test/test-util.c | 10 +++++++

 2 files changed, 36 insertions(+), 53 deletions(-)

diff --git a/src/shared/util.c b/src/shared/util.c

index 766957a..4f80cc8 100644

--- a/src/shared/util.c

+++ b/src/shared/util.c

@@ -4412,38 +4412,31 @@ int dirent_ensure_type(DIR *d, struct dirent *de) {

 }

 int in_search_path(const char *path, char **search) {

-        char **i, *parent;

+        char **i;

+        _cleanup_free_ char *parent = NULL;

         int r;

         r = path_get_parent(path, &parent);

         if (r < 0)

                 return r;

-        r = 0;

-

-        STRV_FOREACH(i, search) {

-                if (path_equal(parent, *i)) {

-                        r = 1;

-                        break;

-                }

-        }

-

-        free(parent);

+        STRV_FOREACH(i, search)

+                if (path_equal(parent, *i))

+                        return 1;

-        return r;

+        return 0;

 }

 int get_files_in_directory(const char *path, char ***list) {

-        DIR *d;

-        int r = 0;

-        unsigned n = 0;

-        char **l = NULL;

+        _cleanup_closedir_ DIR *d = NULL;

+        size_t bufsize = 0, n = 0;

+        _cleanup_strv_free_ char **l = NULL;

         assert(path);

         /* Returns all files in a directory in *list, and the number

          * of files as return value. If list is NULL returns only the

-         * number */

+         * number. */

         d = opendir(path);

         if (!d)

@@ -4455,11 +4448,9 @@ int get_files_in_directory(const char *path, char ***list) {

                 int k;

                 k = readdir_r(d, &buf.de, &de);

-                if (k != 0) {

-                        r = -k;

-                        goto finish;

-                }

-

+                assert(k >= 0);

+                if (k > 0)

+                        return -k;

                 if (!de)

                         break;

@@ -4469,43 +4460,25 @@ int get_files_in_directory(const char *path, char ***list) {

                         continue;

                 if (list) {

-                        if ((unsigned) r >= n) {

-                                char **t;

-

-                                n = MAX(16, 2*r);

-                                t = realloc(l, sizeof(char*) * n);

-                                if (!t) {

-                                        r = -ENOMEM;

-                                        goto finish;

-                                }

-

-                                l = t;

-                        }

-

-                        assert((unsigned) r < n);

+                        /* one extra slot is needed for the terminating NULL */

+                        if (!GREEDY_REALLOC(l, bufsize, n + 2))

+                                return -ENOMEM;

-                        l[r] = strdup(de->d_name);

-                        if (!l[r]) {

-                                r = -ENOMEM;

-                                goto finish;

-                        }

+                        l[n] = strdup(de->d_name);

+                        if (!l[n])

+                                return -ENOMEM;

-                        l[++r] = NULL;

+                        l[++n] = NULL;

                 } else

-                        r++;

+                        n++;

         }

-finish:

-        if (d)

-                closedir(d);

-

-        if (r >= 0) {

-                if (list)

-                        *list = l;

-        } else

-                strv_free(l);

+        if (list) {

+                *list = l;

+                l = NULL; /* avoid freeing */

+        }

-        return r;

+        return n;

 }

 char *strjoin(const char *x, ...) {

diff --git a/src/test/test-util.c b/src/test/test-util.c

index ad13d53..c5762ed 100644

--- a/src/test/test-util.c

+++ b/src/test/test-util.c

@@ -27,6 +27,7 @@

 #include <errno.h>

 #include "util.h"

+#include "strv.h"

 static void test_streq_ptr(void) {

         assert_se(streq_ptr(NULL, NULL));

@@ -582,6 +583,14 @@ static void test_fstab_node_to_udev_node(void) {

         free(n);

 }

+static void test_get_files_in_directory(void) {

+        _cleanup_strv_free_ char **l = NULL, **t = NULL;

+

+        assert_se(get_files_in_directory("/tmp", &l) >= 0);

+        assert_se(get_files_in_directory(".", &l) >= 0);

+        assert_se(get_files_in_directory(".", NULL) >= 0);

+}

+

 int main(int argc, char *argv[]) {

         test_streq_ptr();

         test_first_word();

@@ -618,6 +627,7 @@ int main(int argc, char *argv[]) {

         test_parse_user_at_host();

         test_split_pair();

         test_fstab_node_to_udev_node();

+        test_get_files_in_directory();

         return 0;

 }