|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
From 6a15ce2b3eb852023d77787f96c6a4a72eb4d60d Mon Sep 17 00:00:00 2001
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
From: David Herrmann <dh.herrmann@gmail.com>
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
Date: Thu, 2 Oct 2014 17:09:05 +0200
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
Subject: [PATCH] terminal/grdev: simplify DRM event parsing
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
Coverity complained about this code and is partially right. We are not
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
really protected against integer overflows. Sure, unlikely, but lets just
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
avoid any overflows and properly protect our parser loop.
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
---
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
src/libsystemd-terminal/grdev-drm.c | 12 +++++-------
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
1 file changed, 5 insertions(+), 7 deletions(-)
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
diff --git a/src/libsystemd-terminal/grdev-drm.c b/src/libsystemd-terminal/grdev-drm.c
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
index 7a6e1d993b..6b130116d7 100644
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
--- a/src/libsystemd-terminal/grdev-drm.c
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
+++ b/src/libsystemd-terminal/grdev-drm.c
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
@@ -2195,7 +2195,8 @@ static int grdrm_card_io_fn(sd_event_source *s, int fd, uint32_t revents, void *
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
uint32_t id, counter;
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
grdrm_object *object;
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
char buf[4096];
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
- ssize_t l, i;
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
+ size_t len;
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
+ ssize_t l;
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
if (revents & (EPOLLHUP | EPOLLERR)) {
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
/* Immediately close device on HUP; no need to flush pending
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
@@ -2214,15 +2215,12 @@ static int grdrm_card_io_fn(sd_event_source *s, int fd, uint32_t revents, void *
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
log_debug("grdrm: %s/%s: read error: %m", card->base.session->name, card->base.name);
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
grdrm_card_close(card);
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
return 0;
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
- } else if ((size_t)l < sizeof(*event)) {
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
- log_debug("grdrm: %s/%s: short read of %zd bytes", card->base.session->name, card->base.name, l);
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
- return 0;
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
}
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
- for (i = 0; i < l; i += event->length) {
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
- event = (void*)&buf[i];
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
+ for (len = l; len > 0; len -= event->length) {
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
+ event = (void*)buf;
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
- if (i + (ssize_t)sizeof(*event) > l || i + (ssize_t)event->length > l) {
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
+ if (len < sizeof(*event) || len < event->length) {
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
log_debug("grdrm: %s/%s: truncated event", card->base.session->name, card->base.name);
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
break;
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
}
|