From patchwork Thu Jun 27 21:11:31 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gregor Jasny <gjasny@googlemail.com>
X-Patchwork-Id: 19100
Received: from mail.tu-berlin.de ([130.149.7.33])
	by www.linuxtv.org with esmtp (Exim 4.72)
	(envelope-from <linux-media-owner@vger.kernel.org>)
	id 1UsJTr-0002LF-GM; Thu, 27 Jun 2013 23:11:51 +0200
X-tubIT-Incoming-IP: 209.132.180.67
Received: from vger.kernel.org ([209.132.180.67])
	by mail.tu-berlin.de (exim-4.72/mailfrontend-5) with esmtp
	id 1UsJTp-0001E2-8R; Thu, 27 Jun 2013 23:11:51 +0200
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754128Ab3F0VLr (ORCPT <rfc822;mkrufky@linuxtv.org> + 1 other);
	Thu, 27 Jun 2013 17:11:47 -0400
Received: from mail-ee0-f52.google.com ([74.125.83.52]:35267 "EHLO
	mail-ee0-f52.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1753849Ab3F0VLq (ORCPT
	<rfc822;linux-media@vger.kernel.org>);
	Thu, 27 Jun 2013 17:11:46 -0400
Received: by mail-ee0-f52.google.com with SMTP id c50so655808eek.25
	for <linux-media@vger.kernel.org>;
	Thu, 27 Jun 2013 14:11:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=googlemail.com; s=20120113;
	h=from:to:cc:subject:date:message-id:x-mailer:in-reply-to:references;
	bh=uvLqX8aZCz3A4hvvw3guVOXmY9uawui6S1e6F6NDABo=;
	b=k1Mm69bicLGaPJxLzzUULbzs9fKFqoqtjJy+Oq1OHNWgbmcUwjwbmzoiUmykWzpQP7
	8W2C9l62RUm+kBoWX00veu4Wfo6CGEuRAn02QxFbzy5/GOq0W/fukQgdHo3mwyLXzd9z
	0/DRd4Ocg5Pi9DqKEinjXUq0/jILCNA6ZWZyTmULDM9UjgGpd2y/J5sBQdHAU0ay7ySi
	1bcIpb2MTxZqiXI/KhwD+HyRyIvIhaqFi6ZeldTtbGzWlwpMdyPlsVZ3EBUbD8m9wB3x
	Gag+nuxGBBRQhiVg5wRlf31zlWJ4pTpIVX5y7DuRweiTXpfvy593swowfHD21c04dWbZ
	o9zg==
X-Received: by 10.14.251.202 with SMTP id b50mr10698075ees.85.1372367505117;
	Thu, 27 Jun 2013 14:11:45 -0700 (PDT)
Received: from sid.fritz.box (g229037005.adsl.alicedsl.de. [92.229.37.5])
	by mx.google.com with ESMTPSA id
	p49sm6269104eeu.2.2013.06.27.14.11.43 for <multiple recipients>
	(version=TLSv1.2 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
	Thu, 27 Jun 2013 14:11:44 -0700 (PDT)
From: Gregor Jasny <gjasny@googlemail.com>
To: linux-media@vger.kernel.org
Cc: Gregor Jasny <gjasny@googlemail.com>
Subject: [PATCH 2/2] keytable: Always check if strtok return value is null
Date: Thu, 27 Jun 2013 23:11:31 +0200
Message-Id: <1372367491-13187-3-git-send-email-gjasny@googlemail.com>
X-Mailer: git-send-email 1.8.3.1
In-Reply-To: <1372367491-13187-1-git-send-email-gjasny@googlemail.com>
References: <1372367491-13187-1-git-send-email-gjasny@googlemail.com>
Sender: linux-media-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-media.vger.kernel.org>
X-Mailing-List: linux-media@vger.kernel.org
X-PMX-Version: 6.0.0.2142326, Antispam-Engine: 2.7.2.2107409,
	Antispam-Data: 2013.6.27.210624
X-PMX-Spam: Gauge=IIIIIIII, Probability=8%, Report='
	HTML_00_01 0.05, HTML_00_10 0.05, BODYTEXTP_SIZE_3000_LESS 0,
	BODY_SIZE_2000_2999 0, BODY_SIZE_5000_LESS 0,
	BODY_SIZE_7000_LESS 0, DKIM_SIGNATURE 0, URI_ENDS_IN_HTML 0,
	__ANY_URI 0, __CP_URI_IN_BODY 0, __FRAUD_BODY_WEBMAIL 0,
	__FRAUD_WEBMAIL 0, __FRAUD_WEBMAIL_FROM 0, __HAS_FROM 0,
	__HAS_MSGID 0, __HAS_X_MAILER 0, __HAS_X_MAILING_LIST 0,
	__IN_REP_TO 0, __MIME_TEXT_ONLY 0, __PHISH_SPEAR_STRUCTURE_1 0,
	__SANE_MSGID 0, __SUBJ_ALPHA_END 0, __TO_MALFORMED_2 0,
	__TO_NO_NAME 0, __URI_NS , __YOUTUBE_RCVD 0'

The Mayhem Team found a crash caused by a nullptr.
Details are here:
http://www.forallsecure.com/bug-reports/567323cd26f180910beb03ae26afb40c432a0c6a/

Signed-off-by: Gregor Jasny <gjasny@googlemail.com>
---
 utils/keytable/keytable.c | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/utils/keytable/keytable.c b/utils/keytable/keytable.c
index 06b3d95..8bcd5c4 100644
--- a/utils/keytable/keytable.c
+++ b/utils/keytable/keytable.c
@@ -207,13 +207,19 @@ static error_t parse_keyfile(char *fname, char **table)
 			p++;
 			p = strtok(p, "\n\t =:");
 			do {
+				if (!p)
+					goto err_einval;
 				if (!strcmp(p, "table")) {
 					p = strtok(NULL,"\n, ");
+					if (!p)
+						goto err_einval;
 					*table = malloc(strlen(p) + 1);
 					strcpy(*table, p);
 				} else if (!strcmp(p, "type")) {
 					p = strtok(NULL, " ,\n");
 					do {
+						if (!p)
+							goto err_einval;
 						if (!strcasecmp(p,"rc5") || !strcasecmp(p,"rc-5"))
 							ch_proto |= RC_5;
 						else if (!strcasecmp(p,"rc6") || !strcasecmp(p,"rc-6"))
@@ -447,6 +453,8 @@ static error_t parse_opt(int k, char *arg, struct argp_state *state)
 	case 'p':
 		p = strtok(arg, ",;");
 		do {
+			if (!p)
+				goto err_inval;
 			if (!strcasecmp(p,"rc5") || !strcasecmp(p,"rc-5"))
 				ch_proto |= RC_5;
 			else if (!strcasecmp(p,"rc6") || !strcasecmp(p,"rc-6"))
@@ -813,14 +821,19 @@ static int v1_get_sw_enabled_protocol(char *dirname)
 		return 0;
 	}
 
-	p = strtok(buf, " \n");
-	rc = atoi(p);
-
 	if (fclose(fp)) {
 		perror(name);
 		return errno;
 	}
 
+	p = strtok(buf, " \n");
+	if (!p) {
+		fprintf(stderr, "%s has invalid content: '%s'\n", name, buf);
+		return 0;
+	}
+
+	rc = atoi(p);
+
 	if (debug)
 		fprintf(stderr, "protocol %s is %s\n",
 			name, rc? "enabled" : "disabled");