[Toybox] [Patch] - readfile() has potential segfault
Ashwini Sharma
ak.ashwini1981 at gmail.com
Fri May 2 03:47:45 PDT 2014
Hi Rob,
In function __readfile()__, the buffer __buf__ is free'd when __readall()__
fails.
This __free__ can cause a crash, if the buffer passed by user of function
is not __malloc'ed__ one.
__names_to_pid()__ is one usecase example here.
The patch takes care of the same.
diff -Naur a/lib/lib.c b/lib/lib.c
--- a/lib/lib.c 2014-04-29 16:33:17.000000000 +0530
+++ b/lib/lib.c 2014-05-02 16:14:27.194614098 +0530
@@ -323,9 +323,10 @@
// Read contents of file as a single nul-terminated string.
// malloc new one if buf=len=0
-char *readfile(char *name, char *buf, off_t len)
+char *readfile(char *name, char *ibuf, off_t len)
{
int fd;
+ char *buf;
fd = open(name, O_RDONLY);
if (fd == -1) return 0;
@@ -335,12 +336,13 @@
// proc files don't report a length, so try 1 page minimum.
if (len<4096) len = 4096;
}
- if (!buf) buf = xmalloc(len+1);
+ if (!ibuf) buf = xmalloc(len+1);
+ else buf = ibuf;
len = readall(fd, buf, len-1);
close(fd);
if (len<0) {
- free(buf);
+ if (ibuf != buf) free(buf);
buf = 0;
} else buf[len] = 0;
regards,
Ashwini
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.landley.net/pipermail/toybox-landley.net/attachments/20140502/3b154804/attachment-0004.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lib.c.patch
Type: application/octet-stream
Size: 812 bytes
Desc: not available
URL: <http://lists.landley.net/pipermail/toybox-landley.net/attachments/20140502/3b154804/attachment-0005.obj>
More information about the Toybox
mailing list