1. Fixed potential buffer overflow in gds__prefix* family of functions.

2. Changed second parameter declaration to be const.
2025-01-23 20:43:03 +01:00 · 2003-04-06 11:40:29 +00:00 · 2003-04-06 11:40:29 +00:00 · 86e6b77b50
commit 86e6b77b50
parent 982e623dfd
7 changed files with 57 additions and 50 deletions
--- a/src/gpre/ftn.cpp
+++ b/src/gpre/ftn.cpp
@ -24,7 +24,7 @@
 //
 //____________________________________________________________
 //
-//	$Id: ftn.cpp,v 1.19 2003-03-27 17:15:45 brodsom Exp $
+//	$Id: ftn.cpp,v 1.20 2003-04-06 11:40:29 alexpeshkoff Exp $
 //
 // 2002.10.28 Sean Leyne - Completed removal of obsolete "DGUX" port
 // 2002.10.28 Sean Leyne - Completed removal of obsolete "SGI" port
@ -1542,7 +1542,7 @@ static void gen_database_data( ACT action)
 	TPB tpb;
 	GPRE_REQ request;
 	BOOLEAN any_extern;
-	TEXT include_buffer[512];
+	TEXT include_buffer[MAXPATHLEN];

 	ISC_prefix(include_buffer, INCLUDE_FTN_FILE);
 	sprintf(output_buffer, INCLUDE_ISC_FTN, include_buffer);
--- a/src/jrd/gds.cpp
+++ b/src/jrd/gds.cpp
@ -402,6 +402,8 @@ static void		ndate(SLONG, struct tm *);
 static GDS_DATE	nday(struct tm *);
 static void		sanitize(TEXT *);

+static void		safe_concat_path(TEXT *destbuf, const TEXT *srcbuf);
+
 /* Generic cleanup handlers */

 typedef struct clean
@ -2345,7 +2347,7 @@ SLONG API_ROUTINE gds__get_prefix(SSHORT arg_type, TEXT * passed_string)


 #ifndef VMS
-void API_ROUTINE gds__prefix(TEXT *resultString, TEXT *file)
+void API_ROUTINE gds__prefix(TEXT *resultString, const TEXT *file)
 {
 /**************************************
 *
@ -2385,19 +2387,13 @@ void API_ROUTINE gds__prefix(TEXT *resultString, TEXT *file)
 		}
 	}
 	strcat(resultString, ib_prefix);
-
-	int len = strlen(resultString);
-	if (resultString[len - 1] != PathUtils::dir_sep) {
-		resultString[len] = PathUtils::dir_sep;
-		resultString[len + 1] = 0;
-	}
-	strcat(resultString, file);
+	safe_concat_path(resultString, file);
 }
 #endif /* !defined(VMS) */


 #ifdef VMS
-void API_ROUTINE gds__prefix(TEXT * string, TEXT * root)
+void API_ROUTINE gds__prefix(TEXT * string, const TEXT * root)
 {
 /**************************************
 *
@ -2447,7 +2443,7 @@ void API_ROUTINE gds__prefix(TEXT * string, TEXT * root)


 #ifndef VMS
-void API_ROUTINE gds__prefix_lock(TEXT * string, TEXT * root)
+void API_ROUTINE gds__prefix_lock(TEXT * string, const TEXT * root)
 {
 /********************************************************
 *
@ -2474,19 +2470,13 @@ void API_ROUTINE gds__prefix_lock(TEXT * string, TEXT * root)
 		}
 	}
 	strcat(string, ib_prefix_lock);
-
-	int len = strlen(string);
-	if (string[len - 1] != PathUtils::dir_sep) {
-		string[len] = PathUtils::dir_sep;
-		string[len + 1] = 0;
-	}
-	strcat(string, root);
+	safe_concat_path(string, root);
 }
 #endif


 #ifdef VMS
-void API_ROUTINE gds__prefix_lock(TEXT * string, TEXT * root)
+void API_ROUTINE gds__prefix_lock(TEXT * string, const TEXT * root)
 {
 /************************************************
 *
@ -2536,7 +2526,7 @@ void API_ROUTINE gds__prefix_lock(TEXT * string, TEXT * root)
 #endif

 #ifndef VMS
-void API_ROUTINE gds__prefix_msg(TEXT * string, TEXT * root)
+void API_ROUTINE gds__prefix_msg(TEXT * string, const TEXT * root)
 {
 /********************************************************
 *
@ -2564,18 +2554,12 @@ void API_ROUTINE gds__prefix_msg(TEXT * string, TEXT * root)
 		}
 	}
 	strcat(string, ib_prefix_msg);
-
-	int len = strlen(string);
-	if (string[len - 1] != PathUtils::dir_sep) {
-		string[len] = PathUtils::dir_sep;
-		string[len + 1] = 0;
-	}
-	strcat(string, root);
+	safe_concat_path(string, root);
 }
 #endif

 #ifdef VMS
-void API_ROUTINE gds__prefix_msg(TEXT * string, TEXT * root)
+void API_ROUTINE gds__prefix_msg(TEXT * string, const TEXT * root)
 {
 /************************************************
 *
@ -4740,6 +4724,31 @@ static void sanitize(TEXT * locale)
 	}
 }

+static void safe_concat_path(TEXT *resultString, const TEXT *appendString)
+{
+/**************************************
+ *
+ *	s a f e _ c o n c a t _ p a t h
+ *
+ **************************************
+ *
+ * Functional description
+ *	Safely appends appendString to resultString using paths rules.
+ *  resultString must be at least MAXPATHLEN size.
+ *
+ **************************************/
+	int len = strlen(resultString);
+	if (resultString[len - 1] != PathUtils::dir_sep && len < MAXPATHLEN - 1) {
+		resultString[len++] = PathUtils::dir_sep;
+		resultString[len] = 0;
+	}
+	int alen = strlen(appendString);
+	if (len + alen > MAXPATHLEN - 1)
+		alen = MAXPATHLEN - 1 - len;
+	assert(alen >= 0);
+	memcpy(&resultString[len], appendString, alen);
+	resultString[len + alen] = 0;
+}

 #ifdef DEBUG_GDS_ALLOC
 #undef gds__alloc
--- a/src/jrd/gds_proto.h
+++ b/src/jrd/gds_proto.h
@ -104,9 +104,9 @@ SSHORT	API_ROUTINE gds__msg_lookup(void*, USHORT, USHORT, USHORT,
 int		API_ROUTINE gds__msg_open(void**, TEXT*);
 void	API_ROUTINE gds__msg_put(void*, USHORT, USHORT, TEXT*, TEXT*,
 									 TEXT*, TEXT*, TEXT*);
-void	API_ROUTINE gds__prefix(TEXT*, TEXT*);
-void	API_ROUTINE gds__prefix_lock(TEXT*, TEXT*);
-void	API_ROUTINE gds__prefix_msg(TEXT*, TEXT*);
+void	API_ROUTINE gds__prefix(TEXT*, const TEXT*);
+void	API_ROUTINE gds__prefix_lock(TEXT*, const TEXT*);
+void	API_ROUTINE gds__prefix_msg(TEXT*, const TEXT*);

 SLONG	API_ROUTINE gds__get_prefix(SSHORT, TEXT*);
 STATUS	API_ROUTINE gds__print_status(STATUS*);
--- a/src/jrd/isc.cpp
+++ b/src/jrd/isc.cpp
@ -36,7 +36,7 @@
 *
 */
 /*
-$Id: isc.cpp,v 1.32 2003-04-03 10:09:58 brodsom Exp $
+$Id: isc.cpp,v 1.33 2003-04-06 11:40:25 alexpeshkoff Exp $
 */
 #ifdef DARWIN
 #define _STLP_CCTYPE
@ -1216,7 +1216,7 @@ SLONG API_ROUTINE ISC_get_prefix(TEXT * passed_string)
 	}
 	return (gds__get_prefix(arg_type, ++passed_string));
 }
-void API_ROUTINE ISC_prefix(TEXT * string, TEXT * root)
+void API_ROUTINE ISC_prefix(TEXT * string, const TEXT * root)
 {
 /**************************************
 *
@ -1232,7 +1232,7 @@ void API_ROUTINE ISC_prefix(TEXT * string, TEXT * root)
 	gds__prefix(string, root);
 	return;
 }
-void API_ROUTINE ISC_prefix_lock(TEXT * string, TEXT * root)
+void API_ROUTINE ISC_prefix_lock(TEXT * string, const TEXT * root)
 {
 /**************************************
 *
@ -1248,7 +1248,7 @@ void API_ROUTINE ISC_prefix_lock(TEXT * string, TEXT * root)
 	gds__prefix_lock(string, root);
 	return;
 }
-void API_ROUTINE ISC_prefix_msg(TEXT * string, TEXT * root)
+void API_ROUTINE ISC_prefix_msg(TEXT * string, const TEXT * root)
 {
 /**************************************
 *
--- a/src/jrd/isc_proto.h
+++ b/src/jrd/isc_proto.h
@ -41,9 +41,9 @@ extern int INTERNAL_API_ROUTINE ISC_get_user(TEXT *, int *, int *, TEXT *,
 extern SLONG ISC_get_user_group_id(TEXT *);
 extern void ISC_set_user(TEXT *);
 extern SLONG API_ROUTINE ISC_get_prefix(TEXT *);
-extern void API_ROUTINE ISC_prefix(TEXT *, TEXT *);
-extern void API_ROUTINE ISC_prefix_lock(TEXT *, TEXT *);
-extern void API_ROUTINE ISC_prefix_msg(TEXT *, TEXT *);
+extern void API_ROUTINE ISC_prefix(TEXT *, const TEXT *);
+extern void API_ROUTINE ISC_prefix_lock(TEXT *, const TEXT *);
+extern void API_ROUTINE ISC_prefix_msg(TEXT *, const TEXT *);

 #ifdef VMS
 extern int ISC_expand_logical_once(TEXT *, USHORT, TEXT *);
--- a/src/jrd/svc.cpp
+++ b/src/jrd/svc.cpp
@ -710,7 +710,7 @@ SVC SVC_attach(USHORT	service_length,
 #endif
 	{
 #ifndef SUPERSERVER
-		gds__prefix(service_path, const_cast<TEXT*>(serv->serv_executable));
+		gds__prefix(service_path, serv->serv_executable);
 		service_fork(service_path, service);
 #else
 		/* if service is single threaded, only call if not currently running */
@ -1417,6 +1417,7 @@ void SVC_query(SVC		service,
 **************************************/
 	SCHAR item, *items, *end_items, *end, *p, *q;
 	UCHAR buffer[256];
+	TEXT PathBuffer[MAXPATHLEN];
 	USHORT l, length, version, get_flags;
 	USHORT timeout;

@ -1541,24 +1542,21 @@ void SVC_query(SVC		service,
 		case isc_info_svc_get_env_msg:
 			switch (item) {
 			case isc_info_svc_get_env:
-				gds__prefix(reinterpret_cast < char *>(buffer), "");
+				gds__prefix(PathBuffer, "");
 				break;
 			case isc_info_svc_get_env_lock:
-				gds__prefix_lock(reinterpret_cast < char *>(buffer), "");
+				gds__prefix_lock(PathBuffer, "");
 				break;
 			case isc_info_svc_get_env_msg:
-				gds__prefix_msg(reinterpret_cast < char *>(buffer), "");
+				gds__prefix_msg(PathBuffer, "");
 			}

 			/* Note: it is safe to use strlen to get a length of "buffer"
 			   because gds_prefix[_lock|_msg] return a zero-terminated
 			   string
 			 */
-			if (!(info = INF_put_item(item,
-									  strlen(reinterpret_cast <
-											 char *>(buffer)),
-									  reinterpret_cast < char *>(buffer),
-									  info, end))) {
+			if (!(info = INF_put_item(item, strlen(PathBuffer),
+									  PathBuffer, info, end))) {
 				THREAD_ENTER;
 				return;
 			}
@ -2069,7 +2067,7 @@ void *SVC_start(SVC service, USHORT spb_length, SCHAR * spb)

 #ifndef SUPERSERVER
 	if (serv->serv_executable) {
-		gds__prefix(service_path, const_cast<TEXT*>(serv->serv_executable));
+		gds__prefix(service_path, serv->serv_executable);
 		service->svc_flags = SVC_forked;
 		service_fork(service_path, service);
 	}
--- a/src/qli/help.epp
+++ b/src/qli/help.epp
@ -92,7 +92,7 @@ void HELP_help( SYN node)
 **************************************/
 	NAM *ptr, *end;
 	USHORT max_level;
-	TEXT target[128], **topic, *topics[16];
+	TEXT target[MAXPATHLEN], **topic, *topics[16];

 	if (!HELP_DB) {
 		gds__prefix(target, TARGET);