[Toybox] [Patch] - readfile() has potential segfault

Ashwini Sharma ak.ashwini1981 at gmail.com
Fri May 2 03:47:45 PDT 2014


Hi Rob,

In function __readfile()__, the buffer __buf__ is free'd when __readall()__
fails.
This __free__ can cause a crash, if the buffer passed by user of function
is not __malloc'ed__ one.

__names_to_pid()__ is one usecase example here.

The patch takes care of the same.

diff -Naur a/lib/lib.c b/lib/lib.c
--- a/lib/lib.c 2014-04-29 16:33:17.000000000 +0530
+++ b/lib/lib.c 2014-05-02 16:14:27.194614098 +0530
@@ -323,9 +323,10 @@

 // Read contents of file as a single nul-terminated string.
 // malloc new one if buf=len=0
-char *readfile(char *name, char *buf, off_t len)
+char *readfile(char *name, char *ibuf, off_t len)
 {
   int fd;
+  char *buf;

   fd = open(name, O_RDONLY);
   if (fd == -1) return 0;
@@ -335,12 +336,13 @@
     // proc files don't report a length, so try 1 page minimum.
     if (len<4096) len = 4096;
   }
-  if (!buf) buf = xmalloc(len+1);
+  if (!ibuf) buf = xmalloc(len+1);
+  else buf = ibuf;

   len = readall(fd, buf, len-1);
   close(fd);
   if (len<0) {
-    free(buf);
+    if (ibuf != buf) free(buf);
     buf = 0;
   } else buf[len] = 0;

regards,
Ashwini
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.landley.net/pipermail/toybox-landley.net/attachments/20140502/3b154804/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lib.c.patch
Type: application/octet-stream
Size: 811 bytes
Desc: not available
URL: <http://lists.landley.net/pipermail/toybox-landley.net/attachments/20140502/3b154804/attachment-0002.obj>


More information about the Toybox mailing list