source: popexec.c @ 7149832

release-1.6release-1.7release-1.8release-1.9
Last change on this file since 7149832 was 125fd21, checked in by Nelson Elhage <nelhage@mit.edu>, 11 years ago
Fix a use-after-free in popexec.c Fixes: #130
  • Property mode set to 100644
File size: 4.8 KB
Line 
1#include "owl.h"
2#ifdef HAVE_SYS_IOCTL_H
3#include <sys/ioctl.h>
4#endif
5#ifdef HAVE_SYS_FILIO_H
6#include <sys/filio.h>
7#endif
8#include <sys/wait.h>
9
10/* starts up popexec in a new viewwin */
11owl_popexec *owl_popexec_new(const char *command)
12{
13  owl_popexec *pe;
14  owl_popwin *pw;
15  owl_viewwin *v;
16  int pipefds[2], child_write_fd, parent_read_fd;
17  pid_t pid;
18
19  pe = owl_malloc(sizeof(owl_popexec));
20  if (!pe) return NULL;
21  pe->winactive=0;
22  pe->pid=0;
23  pe->refcount=0;
24
25  pw=owl_global_get_popwin(&g);
26  pe->vwin=v=owl_global_get_viewwin(&g);
27
28  owl_popwin_up(pw);
29  owl_global_push_context(&g, OWL_CTX_POPLESS, v, "popless");
30  owl_viewwin_init_text(v, owl_popwin_get_curswin(pw),
31                        owl_popwin_get_lines(pw), owl_popwin_get_cols(pw),
32                        "");
33  owl_viewwin_redisplay(v);
34  owl_global_set_needrefresh(&g);
35  owl_viewwin_set_onclose_hook(v, owl_popexec_viewwin_onclose, pe);
36  pe->refcount++;
37
38  if (0 != pipe(pipefds)) {
39    owl_function_error("owl_function_popless_exec: pipe failed\n");
40    return NULL;
41  }
42  parent_read_fd = pipefds[0];
43  child_write_fd = pipefds[1];
44  pid = fork();
45  if (pid == -1) {
46    close(pipefds[0]);
47    close(pipefds[1]);
48    owl_function_error("owl_function_popless_exec: fork failed\n");
49    return NULL;
50  } else if (pid != 0) {
51    close(child_write_fd);
52    /* still in owl */
53    pe->pid=pid;
54    pe->winactive=1;
55    pe->dispatch = owl_select_add_io_dispatch(parent_read_fd, OWL_IO_READ|OWL_IO_EXCEPT, &owl_popexec_inputhandler, &owl_popexec_delete_dispatch, pe);
56    pe->refcount++;
57  } else {
58    /* in the child process */
59    int i;
60    int fdlimit = sysconf(_SC_OPEN_MAX);
61
62    for (i=0; i<fdlimit; i++) {
63      if (i!=child_write_fd) close(i);
64    }
65    dup2(child_write_fd, 1 /*stdout*/);
66    dup2(child_write_fd, 2 /*stderr*/);
67    close(child_write_fd);
68
69    execl("/bin/sh", "sh", "-c", command, (const char *)NULL);
70    _exit(127);
71  }
72
73  return pe;
74}
75
76void owl_popexec_inputhandler(const owl_io_dispatch *d, void *data)
77{
78  owl_popexec *pe = data;
79  int navail, bread, rv_navail;
80  char *buf;
81  int status;
82
83  if (!pe) return;
84
85  /* If pe->winactive is 0 then the vwin has closed.
86   * If pe->pid is 0 then the child has already been reaped.
87   * if d->fd is -1 then the fd has been closed out.
88   * Under these cases we want to get to a state where:
89   *   - data read until end if child running
90   *   - child reaped
91   *   - fd closed
92   *   - callback removed
93   */
94
95  /* the viewwin has closed */
96  if (!pe->pid && !pe->winactive) {
97    owl_select_remove_io_dispatch(d);
98    pe->dispatch = NULL;
99    return;
100  }
101
102  if (0 != (rv_navail = ioctl(d->fd, FIONREAD, &navail))) {
103    owl_function_debugmsg("ioctl error");
104  }
105
106  /* check to see if the child has ended gracefully and no more data is
107   * ready to be read... */
108  if (navail==0 && pe->pid>0 && waitpid(pe->pid, &status, WNOHANG) > 0) {
109    owl_function_debugmsg("waitpid got child status: <%d>\n", status);
110    pe->pid = 0;
111    if (pe->winactive) { 
112      owl_viewwin_append_text(pe->vwin, "\n");
113      owl_viewwin_redisplay(pe->vwin);
114      owl_global_set_needrefresh(&g);
115    }
116    owl_select_remove_io_dispatch(d);
117    pe->dispatch = NULL;
118    return;
119  }
120
121  if (d->fd<0 || !pe->pid || !pe->winactive || rv_navail) {
122    owl_function_error("popexec should not have reached this point");
123    return;
124  }
125
126  if (navail<=0) return;
127  if (navail>1024) { navail = 1024; }
128  buf = owl_malloc(navail+1);
129  owl_function_debugmsg("about to read %d", navail);
130  bread = read(d->fd, buf, navail);
131  if (bread<0) {
132    perror("read");
133    owl_function_debugmsg("read error");
134  }
135  if (buf[navail-1] != '\0') {
136    buf[navail] = '\0';
137  }
138  owl_function_debugmsg("got data:  <%s>", buf);
139  if (pe->winactive) {
140    owl_viewwin_append_text(pe->vwin, buf);
141    owl_viewwin_redisplay(pe->vwin);
142    owl_global_set_needrefresh(&g);
143  }
144  owl_free(buf);
145 
146}
147
148void owl_popexec_delete_dispatch(const owl_io_dispatch *d)
149{
150  owl_popexec *pe = d->data;
151  close(d->fd);
152  owl_popexec_unref(pe);
153}
154
155void owl_popexec_viewwin_onclose(owl_viewwin *vwin, void *data)
156{
157  owl_popexec *pe = data;
158  int status, rv;
159
160  pe->winactive = 0;
161  if (pe->dispatch) {
162    owl_select_remove_io_dispatch(pe->dispatch);
163    pe->dispatch = NULL;
164  }
165  if (pe->pid) {
166    /* TODO: we should handle the case where SIGTERM isn't good enough */
167    rv = kill(pe->pid, SIGTERM);
168    owl_function_debugmsg("kill of pid %d returned %d", pe->pid, rv);
169    rv = waitpid(pe->pid, &status, 0);
170    owl_function_debugmsg("waidpid returned %d, status %d", rv, status);
171    pe->pid = 0;
172  }
173  owl_function_debugmsg("unref of %p from onclose", pe);
174  owl_popexec_unref(pe);
175}
176
177void owl_popexec_unref(owl_popexec *pe)
178{
179  owl_function_debugmsg("unref of %p was %d", pe, pe->refcount);
180  pe->refcount--;
181  if (pe->refcount<=0) {
182    owl_function_debugmsg("doing free of %p", pe);
183    owl_free(pe);
184  }
185}
Note: See TracBrowser for help on using the repository browser.