Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20210827164928.GW13220@brightrain.aerifal.cx>
Date: Fri, 27 Aug 2021 12:49:28 -0400
From: Rich Felker <dalias@...c.org>
To: Érico Nogueira <ericonr@...root.org>
Cc: musl@...ts.openwall.com, Alyssa Ross <hi@...ssa.is>
Subject: Re: [PATCH musl 3/3] mntent: fix parsing lines with optional
 fields

On Fri, Aug 27, 2021 at 12:27:36PM -0300, Érico Nogueira wrote:
> On Sat Aug 21, 2021 at 5:54 AM -03, Alyssa Ross wrote:
> > According to fstab(5), the last two fields are optional, but this
> > wasn't accepted by Musl. After this change, only the first field is
> > required, which matches Glibc's behaviour.
> >
> > Using sscanf as before, it would have been impossible to differentiate
> > between 0 fields and 4 fields, because sscanf would have returned 0 in
> > both cases due to the use of assignment suppression and %n for the
> > string fields (which is important to avoid copying any strings). So
> > instead, before calling sscanf, initialize every string to the empty
> > string, and then we can check which strings are empty afterwards to
> > know how many fields were matched.
> 
> Besides typing change noted below, the change sounds reasonable.
> 
> If you want to fix another issue around mntent, hasmntopts has some
> troubles too :p
> 
> > ---
> >
> > We could also be stricter about it, and enforce that the first four
> > fields are present, since the man page says only the last two are
> > optional. Doing that would be a simple change of checking for the
> > presence of mnt_opts instead of mnt_fsname at the end of my patch.
> >
> > src/misc/mntent.c | 18 +++++++++++++-----
> > 1 file changed, 13 insertions(+), 5 deletions(-)
> >
> > diff --git a/src/misc/mntent.c b/src/misc/mntent.c
> > index eabb8200..5a68f0b9 100644
> > --- a/src/misc/mntent.c
> > +++ b/src/misc/mntent.c
> > @@ -21,7 +21,8 @@ int endmntent(FILE *f)
> >  
> > struct mntent *getmntent_r(FILE *f, struct mntent *mnt, char *linebuf,
> > int buflen)
> > {
> > - int cnt, n[8], use_internal = (linebuf == SENTINEL);
> > + int use_internal = (linebuf == SENTINEL);
> > + size_t len, i, n[8];
> 
> Try avoiding unrelated changes in the commit, since they can introduce
> subtle bugs. In this case, making n size_t[] instead of int[] will lead
> to pointer type mismatches in the sscanf call, given that %n expects an
> int*.
> 
> I don't know if *scanf guarantees it won't read enough to go past

For *scanf in general there is no such guarantee; not even size_t is
safe for fscanf. However, here you have sscanf and the number is
bounded by strlen(linebuf).

> INT_MAX, though, so making a change to size_t[] and using %ln might make
> sense. Deferring to someone else to answer that.

The conversion specifier for size_t is %zu not %ln. Since in theory
strlen(linebuf) could be more than INT_MAX, I think this change should
be made, but it should be a separate bugfix.

Rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.