diff options
author | philhofer <phofer@umich.edu> | 2018-12-18 21:02:24 -0800 |
---|---|---|
committer | William Hubbs <w.d.hubbs@gmail.com> | 2018-12-27 11:28:27 -0600 |
commit | 846e4600754dab3f0cb49edb4ad9e2b2b73d3f47 (patch) | |
tree | 037e9c5f49a983a7d92bca78ebdd074087ecdbf0 /src/rc | |
parent | a32b14bbb43e9888acaaea6f764fb8dcb34fb941 (diff) |
fix potential out-of-bounds reads
readlink(3) does not nul-terminate the result it sticks
into the supplied buffer. Consequently, the code
rc = readlink(path, buf, sizeof(buf));
does not necessarily produce a C string.
The code in rc_find_pid() produces some C strings this way
and passes them to strlen() and strcmp(), which can lead
to an out-of-bounds read.
In this case, since the code already takes care to
zero-initialize the buffers before passing them
to readlink(3), only allow sizeof(buf)-1 bytes to
be returned.
(While fixing this issue, I fixed two other locations that
used the same problematic pattern.)
This fixes #270.
Diffstat (limited to 'src/rc')
-rw-r--r-- | src/rc/openrc-run.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/rc/openrc-run.c b/src/rc/openrc-run.c index 229f5ed3..7649b04c 100644 --- a/src/rc/openrc-run.c +++ b/src/rc/openrc-run.c @@ -1152,7 +1152,7 @@ int main(int argc, char **argv) } lnk = xmalloc(4096); memset(lnk, 0, 4096); - if (readlink(argv[1], lnk, 4096)) { + if (readlink(argv[1], lnk, 4096-1)) { dir = dirname(path); if (strchr(lnk, '/')) { save = xstrdup(dir); |