plumber: fail on buffer exhaustion or runaway quotes in string expansion

2025-01-12 11:10:07 +00:00 · 2022-08-16 20:25:27 +08:00 · 2022-08-16 20:25:27 +08:00 · e4b913866b
commit e4b913866b
parent a4af25bc0d
1 changed files with 25 additions and 11 deletions
--- a/src/cmd/plumb/rules.c
+++ b/src/cmd/plumb/rules.c
@ -289,17 +289,30 @@ dollar(Exec *e, char *s, int *namelen)
 	return variable(s, n);
 }

+static void
+ruleerror(char *msg)
+{
+	if(parsing){
+		parsing = 0;
+		parseerror("%s", msg);
+	}
+	error("%s", msg);
+}
+
 /* expand one blank-terminated string, processing quotes and $ signs */
 char*
 expand(Exec *e, char *s, char **ends)
 {
 	char *p, *ep, *val;
-	int namelen, quoting;
+	int namelen, vallen, quoting, inputleft;

 	p = ebuf;
 	ep = ebuf+sizeof ebuf-1;
 	quoting = 0;
-	while(p<ep && *s!='\0' && (quoting || (*s!=' ' && *s!='\t'))){
+	for(;;){
+		inputleft = (*s!='\0' && (quoting || (*s!=' ' && *s!='\t')));
+		if(!inputleft || p==ep)
+			break;
 		if(*s == '\''){
 			s++;
 			if(!quoting)
@ -321,12 +334,17 @@ expand(Exec *e, char *s, char **ends)
 			*p++ = '$';
 			continue;
 		}
-		if(ep-p < strlen(val))
-			return "string-too-long";
+		vallen = strlen(val);
+		if(ep-p < vallen)
+			break;
 		strcpy(p, val);
-		p += strlen(val);
+		p += vallen;
 		s += namelen;
 	}
+	if(inputleft)
+		ruleerror("expanded string too long");
+	else if(quoting)
+		ruleerror("runaway quoted string literal");
 	if(ends)
 		*ends = s;
 	*p = '\0';
@ -336,11 +354,7 @@ expand(Exec *e, char *s, char **ends)
 void
 regerror(char *msg)
 {
-	if(parsing){
-		parsing = 0;
-		parseerror("%s", msg);
-	}
-	error("%s", msg);
+	ruleerror(msg);
 }

 void