bug-gnu-emacs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#11374: emacsclient: avoid invalid strcpy upon partial send and buffe


From: Jim Meyering
Subject: bug#11374: emacsclient: avoid invalid strcpy upon partial send and buffer overrun upon failed send.
Date: Sun, 29 Apr 2012 00:01:14 +0200

This patch is untested.  I didn't even try to compile it.

>From dde8915c64f020e72a141702257db91fafca5523 Mon Sep 17 00:00:00 2001
From: Jim Meyering <address@hidden>
Date: Sat, 28 Apr 2012 22:43:55 +0200
2012-04-28  Jim Meyering  <address@hidden>
Subject: [PATCH 2/5] emacsclient: avoid invalid strcpy upon partial send and
 buffer overrun

...upon failed send.

* lib-src/emacsclient.c (send_to_emacs): Simplify and fix two bugs:
- before, we could call strcpy with overlapping buffers upon partial
send, but strcpy cannot handle overlapping buffers.  Use memcopy.
- before, we would call strcpy(send_buffer, &send_buffer[-1]) upon
failed "send", resulting in an invalid read and a buffer overrun
when that first byte is not 0.  Diagnose the failure.
Also, call strlen just once, rather than for each iteration.
---
 lib-src/emacsclient.c |   36 ++++++++++++++++++------------------
 1 file changed, 18 insertions(+), 18 deletions(-)

diff --git a/lib-src/emacsclient.c b/lib-src/emacsclient.c
index 48b4384..addc089 100644
--- a/lib-src/emacsclient.c
+++ b/lib-src/emacsclient.c
@@ -783,33 +783,33 @@ sock_err_message (const char *function_name)
 static void
 send_to_emacs (HSOCKET s, const char *data)
 {
-  while (data)
+  if (!data)
+    return;
+
+  size_t dlen = strlen (data);
+  while (*data)
     {
-      size_t dlen = strlen (data);
-      if (dlen + sblen >= SEND_BUFFER_SIZE)
-       {
-         int part = SEND_BUFFER_SIZE - sblen;
-         strncpy (&send_buffer[sblen], data, part);
-         data += part;
-         sblen = SEND_BUFFER_SIZE;
-       }
-      else if (dlen)
-       {
-         strcpy (&send_buffer[sblen], data);
-         data = NULL;
-         sblen += dlen;
-       }
-      else
-       break;
+      size_t part = min (dlen, SEND_BUFFER_SIZE - sblen);
+      memcpy (&send_buffer[sblen], data, part);
+      data += part;
+      sblen += part;

       if (sblen == SEND_BUFFER_SIZE
          || (sblen > 0 && send_buffer[sblen-1] == '\n'))
        {
          int sent = send (s, send_buffer, sblen, 0);
+         if (sent < 0)
+           {
+             message (TRUE, "%s: failed to send %d bytes to socket: %s\n",
+                      progname, sblen, strerror (errno));
+             fail ();
+           }
          if (sent != sblen)
-           strcpy (send_buffer, &send_buffer[sent]);
+           memcopy (send_buffer, &send_buffer[sent], sblen - sent);
          sblen -= sent;
        }
+
+      dlen -= part;
     }
 }

--
1.7.10.382.g62bc8





reply via email to

[Prev in Thread] Current Thread [Next in Thread]