Guys,I see few problems with the function idbm_recinfo_config(). Can someone please take a look and confirm ?void idbm_recinfo_config(recinfo_t *info, FILE *f){char name[NAME_MAXVAL];char value[VALUE_MAXVAL];char *line, *nl, buffer[2048];int line_number = 0;int c = 0, i;fseek(f, 0, SEEK_SET);/* process the config file */do {line = fgets(buffer, sizeof (buffer), f);line_number++;if (!line)continue;nl = line + strlen(line) - 1;if (*nl != '\n') {log_warning("Config file line %d too long.",line_number);continue;}Here, if the line is too long that it cannot fit into the buffer, shouldn't we need to ignore the rest of the line ?
Secondly, while reading the "name", we do not check for the array size./* parse name */i=0; nl = line; *name = 0;while (*nl && !isspace(c = *nl) && *nl != '=') {*(name+i) = *nl; i++; nl++; <<< we may go beyond end of array "name".}Similarly, we can go beyond end of array "value".while (*nl) {*(value+i) = *nl; i++; nl++;}thanks,rahul
--
You received this message because you are subscribed to the Google Groups "open-iscsi" group.
To view this discussion on the web visit https://groups.google.com/d/msg/open-iscsi/-/f3nnefBafawJ.
To post to this group, send email to open-...@googlegroups.com.
To unsubscribe from this group, send email to open-iscsi+...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/open-iscsi?hl=en.
Hi!
Simple proposal: Detect if the buffer read is completely full. The issue a warning that the following read is expected to read nonsense.
It sdoesn't fix the problem, but keeps people aware should the problem become relevant.
Weak variant: Add a comment in the source to document that.
Regards,
Ulrich