Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Merge branch 'issue/4'

  • Loading branch information...
commit 9176c2c0999381f2aba65b0902c41713580fc8ae 2 parents 262c711 + 43d8659
fleuria authored
1  src/inc/lib.h
View
@@ -12,6 +12,7 @@ void* memcpy(void *dest, void *src, unsigned int count);
void* memset(void *dest, char val, unsigned int count);
short* memsetw(short *dest, short val, unsigned int count);
int strlen(char *str);
+int strnlen(char *str, unsigned int size);
char* strchr(const char *str, int c);
char* strrchr(const char *str, int c);
int strcmp(char *s1, char *s2);
1  src/inc/param.h
View
@@ -29,6 +29,7 @@ typedef unsigned int uint;
#define NINDBLK (BLK/sizeof(ushort))
#define MAX_FILESIZ ((7+NINDBLK+NINDBLK*NINDBLK)*BLK)
+#define MAX_PATHSIZ PAGE
#define NULL ((void*)0)
#define NUL 0
20 src/kern/sys2.c
View
@@ -27,7 +27,15 @@ int sys_access(struct trap *tf){
struct inode *ip;
int r;
- r = vm_verify(path, strlen(path)+1);
+ if (vm_verify(path, MAX_PATHSIZ) < 0) {
+ syserr(EFAULT);
+ return -1;
+ }
+
+ if (strnlen(path, MAX_PATHSIZ) == MAX_PATHSIZ) {
+ syserr(ENAMETOOLONG);
+ return -1;
+ }
ip = namei(path, 0);
if (ip==NULL) {
@@ -43,7 +51,15 @@ int sys_open(struct trap *tf){
int mode = tf->edx;
int r;
- r = vm_verify(path, strlen(path)+1);
+ if (vm_verify(path, MAX_PATHSIZ) < 0) {
+ syserr(EFAULT);
+ return -1;
+ }
+
+ if (strnlen(path, MAX_PATHSIZ) == MAX_PATHSIZ) {
+ syserr(ENAMETOOLONG);
+ return -1;
+ }
return do_open(path, flag, mode);
}
6 src/lib/string.c
View
@@ -35,6 +35,12 @@ int strlen(char *str){
return sp-str;
}
+int strnlen(char *str, unsigned int len){
+ char *sp;
+ for (sp=str; *sp != '\0' && sp <= str+len; sp++);
+ return sp-str;
+}
+
char* strcpy(char *dst, const char *src) {
char *tmp = dst;
while (*dst++ = *src++);
12 src/mm/vm.c
View
@@ -93,8 +93,14 @@ int vm_renew(struct vm *vm, struct ahead *ah, struct inode *ip){
* pointer, on writing a write protected page, x86 do not raise
* a page fault in ring0, so simulate a write only access as
* what mmu does if nessary.
- * note: only use this routine before writing, be aware that do
- * not touch kernel memory.
+ *
+ * note:
+ * be aware that do NOT touch the memory in the second argument
+ * like `vm_verify(path, strlen(path) + 1)`, which is a bug
+ *
+ * note2:
+ * use this routine only before reading and writing the
+ * user memory.
* */
int vm_verify(uint vaddr, uint size){
struct pde *pgd;
@@ -106,7 +112,7 @@ int vm_verify(uint vaddr, uint size){
if (vaddr<KMEM_END || size<0) {
return -1;
}
- // special case on checking string.
+ // TODO: special case on checking string.
for (page=PG_ADDR(vaddr); page<=PG_ADDR(vaddr+size-1); page+=PAGE) {
pte = find_pte(cu->p_vm.vm_pgd, page, 1);
if ((pte->pt_flag & PTE_P)==0) {
6 usr/libsys/string.c
View
@@ -35,6 +35,12 @@ int strlen(char *str){
return sp-str;
}
+int strnlen(char *str, unsigned int len){
+ char *sp;
+ for (sp=str; *sp != '\0' && sp < str+len; sp++);
+ return sp-str;
+}
+
/* ------------------------------------------------------ */
char* strcpy(char *dst, const char *src) {
Please sign in to comment.
Something went wrong with that request. Please try again.