libauth: fix out of bounds memory access in _parseattr()

empty token would read ""[-1] accidentally in the AttrQuery case.
author: cinap_lenrek <cinap_lenrek@felloff.net> 2018-01-01 23:23:55 +0100
committer: cinap_lenrek <cinap_lenrek@felloff.net> 2018-01-01 23:23:55 +0100
commit: 4edc761024c6d9971e7fae28081e178b35288469 (patch)
tree: 42d3c019bc09744453aea22e51c7dbb1f9cc8508 /sys/src
parent: f7b0cc7a64b4d2df64c666cdc9740a1aceb7aa9d (diff)
1 files changed, 6 insertions, 14 deletions
diff --git a/sys/src/libauth/attr.c b/sys/src/libauth/attr.c
index 5f35750ba..f67a12e31 100644
--- a/sys/src/libauth/attr.c
+++ b/sys/src/libauth/attr.c
@@ -128,7 +128,7 @@ Attr*
 _parseattr(char *s)
 {
 	char *p, *t, *tok[256];
-	int i, ntok, type;
+	int i, ntok;
 	Attr *a;
 
 	s = strdup(s);
@@ -139,25 +139,17 @@ _parseattr(char *s)
 	a = nil;
 	for(i=ntok-1; i>=0; i--){
 		t = tok[i];
-		if(p = strchr(t, '=')){
+		if((p = strchr(t, '=')) != nil){
 			*p++ = '\0';
-		//	if(p-2 >= t && p[-2] == ':'){
-		//		p[-2] = '\0';
-		//		type = AttrDefault;
-		//	}else
-				type = AttrNameval;
-			a = _mkattr(type, t, p, a);
-			setmalloctag(a, getcallerpc(&s));
-		}
-		else if(t[strlen(t)-1] == '?'){
-			t[strlen(t)-1] = '\0';
+			a = _mkattr(AttrNameval, t, p, a);
+		}else if((p = strchr(t, '\0')-1) >= t && *p == '?'){
+			*p = '\0';
 			a = _mkattr(AttrQuery, t, "", a);
-			setmalloctag(a, getcallerpc(&s));
 		}else{
 			/* really a syntax error, but better to provide some indication */
 			a = _mkattr(AttrNameval, t, "", a);
-			setmalloctag(a, getcallerpc(&s));
 		}
+		setmalloctag(a, getcallerpc(&s));
 	}
 	free(s);
 	return cleanattr(a);
author	cinap_lenrek <cinap_lenrek@felloff.net>	2018-01-01 23:23:55 +0100
committer	cinap_lenrek <cinap_lenrek@felloff.net>	2018-01-01 23:23:55 +0100
commit	4edc761024c6d9971e7fae28081e178b35288469 (patch)
tree	42d3c019bc09744453aea22e51c7dbb1f9cc8508 /sys/src
parent	f7b0cc7a64b4d2df64c666cdc9740a1aceb7aa9d (diff)