From cse.psu.edu!owner-9fans Wed Oct 9 12:51:12 1996 Received: from cse.psu.edu ([130.203.3.50]) by cannon.ecf.toronto.edu with SMTP id <3513>; Wed, 9 Oct 1996 12:50:45 -0400 Received: from localhost (majordom@localhost) by cse.psu.edu (8.7.5/8.7.3) with SMTP id MAA21525; Wed, 9 Oct 1996 12:47:16 -0400 (EDT) Received: by claven.cse.psu.edu (bulk_mailer v1.5); Wed, 9 Oct 1996 12:41:32 -0400 Received: (from majordom@localhost) by cse.psu.edu (8.7.5/8.7.3) id MAA21391 for 9fans-outgoing; Wed, 9 Oct 1996 12:41:24 -0400 (EDT) X-Authentication-Warning: claven.cse.psu.edu: majordom set sender to owner-9fans using -f Received: from plan9.cs.york.ac.uk (forsyth@p9auth.cs.york.ac.uk [144.32.33.120]) by cse.psu.edu (8.7.5/8.7.3) with SMTP id MAA21387 for <9fans@cs.psu.edu>; Wed, 9 Oct 1996 12:41:13 -0400 (EDT) From: forsyth@plan9.cs.york.ac.uk Message-Id: <199610091641.MAA21387@cse.psu.edu> To: 9fans@cse.psu.edu Date: Wed, 9 Oct 1996 12:40:40 -0400 subject: fix to /sys/src/libc/port/dial.c Sender: owner-9fans@cse.psu.edu Reply-To: 9fans@cse.psu.edu Precedence: bulk Status: R errstr changed between editions so that it now exchanges the contents of the two buffers. dial.c wasn't changed accordingly, but there is at least one path through dial where errstr can be called with an uninitialised byte array, which is copied into the process's error string. (specifically, if ndb/cs doesn't return anything.) ordinarily, that does no great harm, but if there is a % in the rubbish, it causes trouble: the string is fetched by a later errstr, then passed to werrstr as a format, in which % can cause various kinds of havoc. ndb/dns can blow up, for instance. the simple fix is to ensure that errstr's argument buffer is initialised, and use errstr not werrstr to set the string in some cases. i changed a few sprint to snprint while i was at it, just in case, and initialised a default error message in one case. a boddle file is in ftp://ftp.cs.york.ac.uk/plan9/bod/dial.bod. here are some diffs. term% diff /n/cd/libc/port/dial.c /sys/src/libc/port/dial.c 51a52 > err[0] = 0; 54c55 < werrstr(err); --- > errstr(err); 62a64 > alterr[0] = 0; 65c67 < werrstr(err); --- > errstr(err); 67c69 < werrstr(alterr); --- > errstr(alterr); 95c97 < sprint(buf, "%s!%s", ds->proto, ds->rem); --- > snprint(buf, sizeof(buf), "%s!%s", ds->proto, ds->rem); 105a108 > snprint(err, sizeof(err), "%s: can't translate address", buf); 117a121 > err[0] = 0; 125c129 < werrstr(besterr); --- > errstr(besterr); 127c131 < werrstr(err); --- > errstr(err); From 9fans@cse.psu.edu Sun Oct 27 20:09:32 EST 1996 Article: 1929 of comp.os.plan9 Xref: info.ecf comp.os.plan9:1929 Newsgroups: comp.os.plan9 Path: info.ecf!utnut!nott!crc-news.doc.ca!news.drenet.dnd.ca!news.acsu.buffalo.edu!news.atl.bellsouth.net!news.mindlink.net!van-bc!unixg.ubc.ca!news.bc.net!arclight.uoregon.edu!news-peer.gsl.net!news.gsl.net!howland.erols.net!EU.net!usenet2.news.uk.psi.net!uknet!usenet1.news.uk.psi.net!uknet!uknet!lyra.csx.cam.ac.uk!us1.rhbnc.ac.uk!yama.mcc.ac.uk!news.salford.ac.uk!aber!bath.ac.uk!ccsis From: forsyth@plan9.CS.york.ac.UK Subject: fix to /sys/src/libc/port/dial.c Approved: plan9mod@bath.ac.uk Reply-To: 9fans@cse.psu.edu Sender: ccsis@bath.ac.uk (Icarus Sparry) Organization: Plan 9 mailing list Message-ID: <199610091641.MAA21387@cse.psu.edu> Date: Wed, 9 Oct 1996 16:48:15 GMT Lines: 51 errstr changed between editions so that it now exchanges the contents of the two buffers. dial.c wasn't changed accordingly, but there is at least one path through dial where errstr can be called with an uninitialised byte array, which is copied into the process's error string. (specifically, if ndb/cs doesn't return anything.) ordinarily, that does no great harm, but if there is a % in the rubbish, it causes trouble: the string is fetched by a later errstr, then passed to werrstr as a format, in which % can cause various kinds of havoc. ndb/dns can blow up, for instance. the simple fix is to ensure that errstr's argument buffer is initialised, and use errstr not werrstr to set the string in some cases. i changed a few sprint to snprint while i was at it, just in case, and initialised a default error message in one case. a boddle file is in ftp://ftp.cs.york.ac.uk/plan9/bod/dial.bod. here are some diffs. term% diff /n/cd/libc/port/dial.c /sys/src/libc/port/dial.c 51a52 > err[0] = 0; 54c55 < werrstr(err); --- > errstr(err); 62a64 > alterr[0] = 0; 65c67 < werrstr(err); --- > errstr(err); 67c69 < werrstr(alterr); --- > errstr(alterr); 95c97 < sprint(buf, "%s!%s", ds->proto, ds->rem); --- > snprint(buf, sizeof(buf), "%s!%s", ds->proto, ds->rem); 105a108 > snprint(err, sizeof(err), "%s: can't translate address", buf); 117a121 > err[0] = 0; 125c129 < werrstr(besterr); --- > errstr(besterr); 127c131 < werrstr(err); --- > errstr(err);