Fix cve-check-update looping processing META files

akarollil · akarollil · commit e45e646bf571 · 2018-09-18T10:51:06.000-07:00
META file should have key:value lines but if the NIST NVD website is
down, instead of the META file, the page describing the site being down
is downloaded instead, which results in cve-check-update getting stuck
in a loop trying to process the invalid META file. This can also be
reproduced easily by tweaking a valid META file to have a colon (:) as
the first character in the file.

Fix by using fgets to get lines, and fscanf to parse them to keep file
pointer handling simple.
diff --git a/src/update.c b/src/update.c
@@ -113,27 +113,19 @@ static cve_string *nvdcve_make_fname(int year, const char *fext)
 
 static char *nvdcve_meta_get_val(FILE *f, const char *field)
 {
-        do {
-                char field_name[256], field_value[256];
-                int ret;
-
-                ret = fscanf(f, " %255[^: \f\n\r\t\v] :%255s", field_name, field_value);
+        char field_name[MAX_META_FILE_KEY_VALUE_SIZE];
+        char field_value[MAX_META_FILE_KEY_VALUE_SIZE];
+        char line[MAX_META_FILE_LINE_SIZE];
+        int ret;
+        while (fgets(line, MAX_META_FILE_LINE_SIZE, f)) {
+                ret = sscanf(line, " %255[^: ] : %255s", field_name, field_value);
                 if (ret != 2) {
-                        if (ret != EOF) {
-                                continue;
-                        }
-                        if (ferror(f)) {
-                                if (errno == EINTR || errno == EAGAIN) {
-                                        clearerr(f);
-                                        continue;
-                                }
-                        }
-                        return NULL;
-                }
-                if (streq(field_name, field)) {
+                        fprintf(stderr, "Ignoring unparseable line in META file\n");
+                } else if (streq(field_name, field)) {
                         return strdup(field_value);
                 }
-        } while (1);
+        }
+        return NULL;
 }
 
 static bool nvdcve_data_ok(const char *meta, const char *data)
diff --git a/src/update.h b/src/update.h
@@ -11,6 +11,9 @@
 
 #include "cve-string.h"
 
+#define MAX_META_FILE_LINE_SIZE 512
+#define MAX_META_FILE_KEY_VALUE_SIZE 256
+
 cve_string *get_db_path(const char *path);
 
 int update_required(const char *db_file);
