bareos2015: bareos-14.2 9c92773e

Author Committer Branch Timestamp Parent
Andre Noll mvwieringen bareos-14.2 2013-12-17 18:11 bareos-14.2 fbb4d1c3 Pending
Changeset lib/parse_conf.c: Don't segfault on parse errors.

During daemon startup, parse_config() calls lex_open_file() which
returns a pointer to an initialized LEX structure on success or a
NULL pointer on failure, for example because the given config file
does not exist.

In the error case parse_config() allocates a LEX structure of its own
and initializes it with zeroes. In particular, this sets its POOLMEM
pointer ->str to NULL. Since ->str is used as the destination for
bstrncpy() a few lines later, a NULL pointer dereference results:

    ==2957== Memcheck, a memory error detector
    ==2957== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
    ==2957== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
    ==2957== Command: /usr/local/bareos/sbin/bareos-dir -t
    ==2957==
    ==2957== Invalid write of size 1
    ==2957== at 0x4C2C2F7: __GI_strncpy (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
    ==2957== by 0x56AB800: bstrncpy(char*, char const*, int) (bsys.c:175)
    ==2957== by 0x547E1EF: CONFIG::parse_config() (parse_conf.c:281)
    ==2957== by 0x40C5BA: main (dird.c:282)
    ==2957== Address 0x0 is not stack'd, malloc'd or (recently) free'd
    ==2957==

This patch avoids the NULL pointer dereference by using the local cf
variable instead of trying to create a copy.

This bug was probably introduced in commit 12a0fdd0 (Config engine
redesign Phase 1) a few months back, since the unpatched code would
work fine if ->str was an array, and 12a0fdd0 changed the type from
array to pointer:

    - char str[MAXSTRING]; /* string being scanned */
    + POOLMEM *str; /* string being scanned */

Signed-off-by: Philipp Storz <philipp.storz@bareos.com>
mod - src/lib/parse_conf.c Diff File