[Toybox] [PATCH] losetup: Fix null-termination of src string instead of dest after copy
Alessio Balsini
balsini at android.com
Mon Oct 14 09:06:39 PDT 2019
The function loopback_setup(), after copying the loopback device name
with xstrncpy(), ensures the null-termination of the string by forcing
its last byte to 0.
Unfortunately, this operation:
- was probably intended to null-terminate dest instead;
- does not affect the program execution because src is free()d right
after;
- if the size of src is smaller than the offset of the written zero, it
modifies an unknown byte in the heap.
Drop the null-termination line to fix the issue: xstrcpy() automatically
null-terminates dest, or fails if the size of src is bigger than the the
requested number of bytes to copy.
Signed-off-by: Alessio Balsini <balsini at android.com>
---
toys/other/losetup.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/toys/other/losetup.c b/toys/other/losetup.c
index e73761a0..917e64ea 100644
--- a/toys/other/losetup.c
+++ b/toys/other/losetup.c
@@ -113,7 +113,6 @@ static int loopback_setup(char *device, char *file)
loop->lo_offset = TT.o;
loop->lo_sizelimit = TT.S;
xstrncpy((char *)loop->lo_file_name, s, LO_NAME_SIZE);
- s[LO_NAME_SIZE-1] = 0;
if (ioctl(lfd, LOOP_SET_STATUS64, loop)) perror_exit("%s=%s", device, file);
if (FLAG(s)) puts(device);
free(s);
--
2.23.0.700.g56cf767bdb-goog
More information about the Toybox
mailing list