diff options
author | philhofer <phofer@umich.edu> | 2018-12-18 21:02:24 -0800 |
---|---|---|
committer | William Hubbs <w.d.hubbs@gmail.com> | 2018-12-27 11:28:27 -0600 |
commit | 846e4600754dab3f0cb49edb4ad9e2b2b73d3f47 (patch) | |
tree | 037e9c5f49a983a7d92bca78ebdd074087ecdbf0 /support/init.d.examples/wpa_supplicant.in | |
parent | a32b14bbb43e9888acaaea6f764fb8dcb34fb941 (diff) |
fix potential out-of-bounds reads
readlink(3) does not nul-terminate the result it sticks
into the supplied buffer. Consequently, the code
rc = readlink(path, buf, sizeof(buf));
does not necessarily produce a C string.
The code in rc_find_pid() produces some C strings this way
and passes them to strlen() and strcmp(), which can lead
to an out-of-bounds read.
In this case, since the code already takes care to
zero-initialize the buffers before passing them
to readlink(3), only allow sizeof(buf)-1 bytes to
be returned.
(While fixing this issue, I fixed two other locations that
used the same problematic pattern.)
This fixes #270.
Diffstat (limited to 'support/init.d.examples/wpa_supplicant.in')
0 files changed, 0 insertions, 0 deletions