Ticket #3581: mc-3581-sftpsfs-fix-bad-pointer-arithmetic-in-config_parser.patch

File mc-3581-sftpsfs-fix-bad-pointer-arithmetic-in-config_parser.patch, 6.1 KB (added by and, 5 years ago)
  • src/vfs/sftpfs/config_parser.c

    From 0cadef4c509ebb1c5425afae467f5a08a29466cb Mon Sep 17 00:00:00 2001
    From: Andreas Mohr <and@gmx.li>
    Date: Mon, 11 Jan 2016 20:49:06 +0000
    Subject: [PATCH] sftpfs: fix bad pointer arithmetic in config parser
    
    when reading ssh_config with matching host entry mc do bad pointer arithmetic. fix it!
    (also move offsetof values into struct to reduce human mistakes)
    
    ==18689==ERROR: AddressSanitizer: heap-use-after-free on address 0x604000004910 at pc 0x000000641a8b bp 0x7ffca4ab65e0 sp 0x7ffca4ab65d8
    WRITE of size 8 at 0x604000004910 thread T0
        #0 0x641a8a in sftpfs_fill_config_entity_from_string /tmp/portage/app-misc/mc-9999/work/mc-9999/src/vfs/sftpfs/config_parser.c:169:30
        #1 0x6413cf in sftpfs_fill_config_entity_from_config /tmp/portage/app-misc/mc-9999/work/mc-9999/src/vfs/sftpfs/config_parser.c:271:13
        #2 0x640b73 in sftpfs_get_config_entity /tmp/portage/app-misc/mc-9999/work/mc-9999/src/vfs/sftpfs/config_parser.c:310:14
        #3 0x64067d in sftpfs_fill_connection_data_from_config /tmp/portage/app-misc/mc-9999/work/mc-9999/src/vfs/sftpfs/config_parser.c:354:21
        #4 0x61ef95 in sftpfs_cb_open_connection /tmp/portage/app-misc/mc-9999/work/mc-9999/src/vfs/sftpfs/vfs_subclass.c:111:5
        #5 0x7f1340c31beb in vfs_s_get_path /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/vfs/direntry.c:1139:18
        #6 0x7f1340c3685c in vfs_s_inode_from_path /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/vfs/direntry.c:380:9
        #7 0x7f1340c34807 in vfs_s_opendir /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/vfs/direntry.c:409:11
        #8 0x7f1340c34ce8 in vfs_s_chdir /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/vfs/direntry.c:476:12
        #9 0x7f1340c3a29f in mc_chdir /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/vfs/interface.c:687:14
        #10 0x530f64 in _do_panel_cd /tmp/portage/app-misc/mc-9999/work/mc-9999/src/filemanager/panel.c:3250:9
        #11 0x530e4e in do_panel_cd /tmp/portage/app-misc/mc-9999/work/mc-9999/src/filemanager/panel.c:4627:9
        #12 0x532d34 in do_cd /tmp/portage/app-misc/mc-9999/work/mc-9999/src/filemanager/panel.c:5027:11
        #13 0x50b64b in do_cd_command /tmp/portage/app-misc/mc-9999/work/mc-9999/src/filemanager/command.c:445:14
        #14 0x50c516 in enter /tmp/portage/app-misc/mc-9999/work/mc-9999/src/filemanager/command.c:265:9
        #15 0x52704c in midnight_callback /tmp/portage/app-misc/mc-9999/work/mc-9999/src/filemanager/midnight.c:1473:17
        #16 0x7f1340c4c761 in dlg_key_event /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/widget/dialog.c:505:15
        #17 0x7f1340c4cc32 in frontend_dlg_run /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/widget/dialog.c:570:9
        #18 0x7f1340c4c935 in dlg_run /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/widget/dialog.c:1267:5
        #19 0x52654d in do_nc /tmp/portage/app-misc/mc-9999/work/mc-9999/src/filemanager/midnight.c:1757:9
        #20 0x4f7d8a in main /tmp/portage/app-misc/mc-9999/work/mc-9999/src/main.c:401:21
        #21 0x7f133f1b8953 in __libc_start_main (/lib64/libc.so.6+0x20953)
        #22 0x427368 in _start (/tmp/portage/app-misc/mc-9999/work/mc-9999/src/.libs/mc+0x427368)
    
    Signed-off-by: Andreas Mohr <and@gmx.li>
    ---
     src/vfs/sftpfs/config_parser.c | 29 +++++++++--------------------
     1 file changed, 9 insertions(+), 20 deletions(-)
    
    diff --git a/src/vfs/sftpfs/config_parser.c b/src/vfs/sftpfs/config_parser.c
    index 0e46cc9..e32e901 100644
    a b static struct 
    7979    size_t offset; 
    8080} config_variables[] = 
    8181{ 
    82     {"^\\s*User\\s+(.*)$", NULL, STRING, 0}, 
    83     {"^\\s*HostName\\s+(.*)$", NULL, STRING, 0}, 
    84     {"^\\s*IdentitiesOnly\\s+(.*)$", NULL, BOOLEAN, 0}, 
    85     {"^\\s*IdentityFile\\s+(.*)$", NULL, FILENAME, 0}, 
    86     {"^\\s*Port\\s+(.*)$", NULL, INTEGER, 0}, 
    87     {"^\\s*PasswordAuthentication\\s+(.*)$", NULL, BOOLEAN, 0}, 
    88     {"^\\s*PubkeyAuthentication\\s+(.*)$", NULL, STRING, 0}, 
     82    {"^\\s*User\\s+(.*)$", NULL, STRING, offsetof (sftpfs_ssh_config_entity_t, user)}, 
     83    {"^\\s*HostName\\s+(.*)$", NULL, STRING, offsetof (sftpfs_ssh_config_entity_t, real_host)}, 
     84    {"^\\s*IdentitiesOnly\\s+(.*)$", NULL, BOOLEAN, offsetof (sftpfs_ssh_config_entity_t, identities_only)}, 
     85    {"^\\s*IdentityFile\\s+(.*)$", NULL, FILENAME, offsetof (sftpfs_ssh_config_entity_t, identity_file)}, 
     86    {"^\\s*Port\\s+(.*)$", NULL, INTEGER, offsetof (sftpfs_ssh_config_entity_t, port)}, 
     87    {"^\\s*PasswordAuthentication\\s+(.*)$", NULL, BOOLEAN, offsetof (sftpfs_ssh_config_entity_t, password_auth)}, 
     88    {"^\\s*PubkeyAuthentication\\s+(.*)$", NULL, STRING, offsetof (sftpfs_ssh_config_entity_t, pubkey_auth)}, 
    8989    {NULL, NULL, 0, 0} 
    9090}; 
     91 
    9192/* *INDENT-ON* */ 
    9293 
    9394/*** file scope functions ************************************************************************/ 
    sftpfs_correct_file_name (const char *filename) 
    131132 
    132133/* --------------------------------------------------------------------------------------------- */ 
    133134 
    134 /* FIXME: is pointer arith correct here? */ 
    135135#define POINTER_TO_STRUCTURE_MEMBER(type)  \ 
    136     ((type) (config_entity + (off_t) config_variables[i].offset)) 
     136    ((type) ((char *) config_entity + (size_t) config_variables[i].offset)) 
    137137 
    138138/** 
    139139 * Parse string and filling one config entity by parsed data. 
    sftpfs_fill_connection_data_from_config (struct vfs_s_super *super, GError ** mc 
    389389void 
    390390sftpfs_init_config_variables_patterns (void) 
    391391{ 
    392     size_t structure_offsets[] = { 
    393         offsetof (sftpfs_ssh_config_entity_t, user), 
    394         offsetof (sftpfs_ssh_config_entity_t, real_host), 
    395         offsetof (sftpfs_ssh_config_entity_t, identities_only), 
    396         offsetof (sftpfs_ssh_config_entity_t, identity_file), 
    397         offsetof (sftpfs_ssh_config_entity_t, port), 
    398         offsetof (sftpfs_ssh_config_entity_t, password_auth), 
    399         offsetof (sftpfs_ssh_config_entity_t, pubkey_auth) 
    400     }; 
    401  
    402392    int i; 
    403393 
    404394    for (i = 0; config_variables[i].pattern != NULL; i++) 
    sftpfs_init_config_variables_patterns (void) 
    407397            mc_search_new (config_variables[i].pattern, DEFAULT_CHARSET); 
    408398        config_variables[i].pattern_regexp->search_type = MC_SEARCH_T_REGEX; 
    409399        config_variables[i].pattern_regexp->is_case_sensitive = FALSE; 
    410         config_variables[i].offset = structure_offsets[i]; 
    411400    } 
    412401} 
    413402