Closed Bug 281666 Opened 20 years ago Closed 19 years ago

Fixes unchecked use of strcpy/strcat + memory holes in nsDirPrefs.cpp

Categories

(MailNews Core :: Address Book, defect)

Product:
MailNews Core
Component:
Address Book
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: tim.ruehsen, Assigned: standard8)

References

Details

Attachments

(3 files, 3 obsolete files)

New version v2 (-w)
51.24 KB, patch
standard8
: review+
neil
: superreview+
Details | Diff | Splinter Review
New version v2 (normal patch), checked in.
62.10 KB, patch
Details | Diff | Splinter Review
regression fix (checked in)
1.19 KB, patch
Bienvenu
: review+
Bienvenu
: superreview+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (compatible; Konqueror/3.3; Linux) KHTML/3.3.2 (like Gecko)
Build Identifier: 

- found 2 or 3 places with memory not freed in any case (e.g. see 
dir_SaveReplicationInfo()) 
- introduced more NULL checks for function params 
- replaced strcpy/strcat by PR_snprintf+assertion on buffer overflow 
- removed these ugly and confusing 'scratch' buffers (this introduces a larger 
stack usage) 
 

Reproducible: Always
Attached patch cvs diff for nsDirPrefs.cpp (obsolete) — Splinter Review 

        Attachment #173865 -
        Flags: review?(bienvenu)

    
  
Assignee: sspitzer → mail

    
  
Assignee: mail → nobody
Component: Address Book → MailNews: Address Book
Product: Mozilla Application Suite → Core
QA Contact: addressbook
Version: unspecified → Trunk

    
    

    
  
Comment on attachment 173865 [details] [diff] [review]
cvs diff for nsDirPrefs.cpp 

I'm setting r- on behalf of bienvenu.

This patch currently bitrots on apply, could you update it and post a fresh one? (and we'll try and review it a bit sooner this time).

Generally the idea looks good and it'll be nice to have a bit more of a tidy up in nsDirPrefs.

However whilst I'm here a couple of comments from a quick look at it:

+	if (!server)
+	{
+		NS_ASSERTION(PR_FALSE, "server is null");
+		return NS_ERROR_FAILURE;
+	}

a check for a null pointer passed to a function can be done better by NS_ENSURE_ARG_POINTER(server)

IMHO it would be better to convert the "scratch" buffer: 
-	PL_strcpy(scratch, prefRoot);
-	PL_strcat(scratch, ".");
-	PL_strcat(scratch, prefLeaf);

to nsAutoString or something similar rather than use PR_snprintf.

        Attachment #173865 -
        Flags: review?(bienvenu) → review-

    
    

    
  
I have checked with Tim, and he's no longer working on Mozilla :-( However, he said I could take his patch on and update it, so I'll do this at some stage in the next couple of weeks and tidy up nsDirPrefs a bit more.
Assignee: nobody → bugzilla

    
  
Blocks: 287832

    
    

    
  

      
      
      
      

        Attached patch
          
          
        New version (-w) (obsolete)
        — Splinter Review
      

    


  
This takes Tim's original patch and reimplements it for the current tree. In addiiton, I've tried to make some improvements on the way, and also only checked for the presence of parameters where I think its really necessary (typically when the calling functions don't do it). I have also done a lot of tab removal and whitespace clean up - hence the -w patch.

        Attachment #204856 -
        Flags: review?(bienvenu)

    
    

    
  

      
      
      
      

        Attached patch
          
          
        New version (normal patch) (obsolete)
        — Splinter Review
      

    


  

    
  

        Attachment #204856 -
        Flags: review?(bienvenu) → review+

    
  

        Attachment #204856 -
        Flags: superreview?(neil.parkwaycc.co.uk)

    
    

    
  
Comment on attachment 204856 [details] [diff] [review]
New version (-w)

Mostly OK, but a couple of issues that apply in several places:

>+    nsXPIDLCString prefValue;
>+
>+    prefValue.Append(prefRoot);
>+    prefValue.Append('.');
>+    prefValue.Append(prefLeaf);
>  
>+    if (NS_SUCCEEDED(pPref->GetCharPref(prefValue, getter_Copies(value))))
This should be something like nsCAutoString prefLocation(prefRoot); and prefLocation.get();

>+    replPrefName.Append(NS_LITERAL_CSTRING(".replication"));
Don't Append an NS_LITERAL_CSTRING when you can AppendLiteral instead.

>+    if (!PR_snprintf (prefLocation, 128, "%s.filter%d", prefstring, filterNum))
>+    {
>+      NS_WARNING("DIR_GetCustomFilterPrefs: Buffer too small");
>+      continue;
>+    }
> 
>+    nsCAutoString branch(prefLocation);
Please construct an nsCAutoString prefLocation.

        Attachment #204856 -
        Flags: superreview?(neil.parkwaycc.co.uk) → superreview-

    
    

    
  


  
Revised version addressing Neil's review comments.

        Attachment #204856 -
        Attachment is obsolete: true

        Attachment #206917 -
        Flags: superreview?(neil.parkwaycc.co.uk)

        Attachment #206917 -
        Flags: review+

    
    

    
  


  
The non -w version.

        Attachment #204857 -
        Attachment is obsolete: true

    
  

        Attachment #173865 -
        Attachment is obsolete: true

    
    

    
  
Comment on attachment 206917 [details] [diff] [review]
New version v2 (-w)

Some double blank lines strangely showed up on the interdiff, although there's obviously no sign of them here.

        Attachment #206917 -
        Flags: superreview?(neil.parkwaycc.co.uk) → superreview+

    
    

    
  
Comment on attachment 206918 [details] [diff] [review]
New version v2 (normal patch), checked in.

This patch has now been checked in.
Checking in mailnews/addrbook/src/nsDirPrefs.cpp;
/cvsroot/mozilla/mailnews/addrbook/src/nsDirPrefs.cpp,v  <--  nsDirPrefs.cpp
new revision: 1.102; previous revision: 1.101

        Attachment #206918 -
        Attachment description: New version v2 (normal patch) → New version v2 (normal patch), checked in.

    
    

    
  
This bug is now fixed, thanks to Tim for the initial patch.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED

    
    

    
  
I just noticed I caused a regression in address book prefs - we are setting extra string prefs even when the values are the default values :-(
Status: RESOLVED → REOPENED
Resolution: FIXED → ---

    
    

    
  


  
This patch fixes the comparison of the default value with the new value (not the prefLocation - opps). Think I probably overdid the copy & paste.

        Attachment #207112 -
        Flags: superreview?(bienvenu)

        Attachment #207112 -
        Flags: review?(bienvenu)

    
  

        Attachment #207112 -
        Flags: superreview?(bienvenu)

        Attachment #207112 -
        Flags: superreview+

        Attachment #207112 -
        Flags: review?(bienvenu)

        Attachment #207112 -
        Flags: review+

    
  

        Attachment #207112 -
        Attachment description: regression fix → regression fix (checked in)

    
    

    
  
Regression fix checked in -> fixed.
Status: REOPENED → RESOLVED
Closed: 19 years ago19 years ago
Resolution: --- → FIXED

    
    

    
  
Verified via proxy (reviews, code inspection using LXR, etc.)
Status: RESOLVED → VERIFIED
Product: Core → MailNews Core

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: