From 846e4600754dab3f0cb49edb4ad9e2b2b73d3f47 Mon Sep 17 00:00:00 2001 From: philhofer Date: Tue, 18 Dec 2018 21:02:24 -0800 Subject: fix potential out-of-bounds reads readlink(3) does not nul-terminate the result it sticks into the supplied buffer. Consequently, the code rc = readlink(path, buf, sizeof(buf)); does not necessarily produce a C string. The code in rc_find_pid() produces some C strings this way and passes them to strlen() and strcmp(), which can lead to an out-of-bounds read. In this case, since the code already takes care to zero-initialize the buffers before passing them to readlink(3), only allow sizeof(buf)-1 bytes to be returned. (While fixing this issue, I fixed two other locations that used the same problematic pattern.) This fixes #270. --- src/rc/openrc-run.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/rc/openrc-run.c') diff --git a/src/rc/openrc-run.c b/src/rc/openrc-run.c index 229f5ed3..7649b04c 100644 --- a/src/rc/openrc-run.c +++ b/src/rc/openrc-run.c @@ -1152,7 +1152,7 @@ int main(int argc, char **argv) } lnk = xmalloc(4096); memset(lnk, 0, 4096); - if (readlink(argv[1], lnk, 4096)) { + if (readlink(argv[1], lnk, 4096-1)) { dir = dirname(path); if (strchr(lnk, '/')) { save = xstrdup(dir); -- cgit v1.2.3