bareos2015: bareos-14.2 9c92773e
Author | Committer | Branch | Timestamp | Parent | |
---|---|---|---|---|---|
Andre Noll | mvwieringen | bareos-14.2 | 2013-12-17 18:11 | bareos-14.2 fbb4d1c3 | Pending |
Changeset | lib/parse_conf.c: Don't segfault on parse errors. During daemon startup, parse_config() calls lex_open_file() which returns a pointer to an initialized LEX structure on success or a NULL pointer on failure, for example because the given config file does not exist. In the error case parse_config() allocates a LEX structure of its own and initializes it with zeroes. In particular, this sets its POOLMEM pointer ->str to NULL. Since ->str is used as the destination for bstrncpy() a few lines later, a NULL pointer dereference results: ==2957== Memcheck, a memory error detector ==2957== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al. ==2957== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info ==2957== Command: /usr/local/bareos/sbin/bareos-dir -t ==2957== ==2957== Invalid write of size 1 ==2957== at 0x4C2C2F7: __GI_strncpy (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==2957== by 0x56AB800: bstrncpy(char*, char const*, int) (bsys.c:175) ==2957== by 0x547E1EF: CONFIG::parse_config() (parse_conf.c:281) ==2957== by 0x40C5BA: main (dird.c:282) ==2957== Address 0x0 is not stack'd, malloc'd or (recently) free'd ==2957== This patch avoids the NULL pointer dereference by using the local cf variable instead of trying to create a copy. This bug was probably introduced in commit 12a0fdd0 (Config engine redesign Phase 1) a few months back, since the unpatched code would work fine if ->str was an array, and 12a0fdd0 changed the type from array to pointer: - char str[MAXSTRING]; /* string being scanned */ + POOLMEM *str; /* string being scanned */ Signed-off-by: Philipp Storz <philipp.storz@bareos.com> |
||||
mod - src/lib/parse_conf.c | Diff File |