[rpm PATCH] Fix unterminated buffer after readlink() call

James Antill james at fedoraproject.org
Mon Oct 24 18:47:00 UTC 2011


On Fri, 2011-10-21 at 23:05 +0200, Thomas Jarosch wrote:
> readlink() never terminates the buffer.
> 
> Detected by "cppcheck" (git HEAD)

 Not that it's a terrible idea to make it more obvious, but these
weren't bugs...

> Signed-off-by: Thomas Jarosch <thomas.jarosch at intra2net.com>
> ---
>  lib/rpmfi.c |    8 ++++++--
>  1 files changed, 6 insertions(+), 2 deletions(-)
> 
> diff --git a/lib/rpmfi.c b/lib/rpmfi.c
> index e1e8fa9..6186d9f 100644
> --- a/lib/rpmfi.c
> +++ b/lib/rpmfi.c
[...]
    memset(buffer, 0, sizeof(buffer));
    if (dbWhat == REG) {
[...]
    } else /* dbWhat == LINK */ {
        const char * oFLink, * nFLink;
        oFLink = rpmfiFLink(ofi);
        if (diskWhat == LINK) {
            if (readlink(fn, buffer, sizeof(buffer) - 1) == -1)

...so "buffer[sizeof(buffer) -1] == 0" already.

> @@ -661,8 +661,10 @@ rpmFileAction rpmfiDecideFate(const rpmfi ofi, rpmfi nfi, int skipMissing)
>  	const char * oFLink, * nFLink;
>  	oFLink = rpmfiFLink(ofi);
>  	if (diskWhat == LINK) {
> -	    if (readlink(fn, buffer, sizeof(buffer) - 1) == -1)
> +	    ssize_t link_len = readlink(fn, buffer, sizeof(buffer) - 1);
> +	    if (link_len == -1)
>  		return FA_CREATE;	/* assume file has been removed */
> +	    buffer[link_len] = '\0';
>  	    if (oFLink && rstreq(oFLink, buffer))
>  		return FA_CREATE;	/* unmodified config file, replace. */
>  	}
> @@ -712,8 +714,10 @@ int rpmfiConfigConflict(const rpmfi fi)
>  	    return 0;	/* unmodified config file */
>      } else /* newWhat == LINK */ {
>  	const char * nFLink;
> -	if (readlink(fn, buffer, sizeof(buffer) - 1) == -1)
> +	ssize_t link_len = readlink(fn, buffer, sizeof(buffer) - 1);
> +	if (link_len == -1)
>  	    return 0;	/* assume file has been removed */
> +	buffer[link_len] = '\0';
>  	nFLink = rpmfiFLink(fi);
>  	if (nFLink && rstreq(nFLink, buffer))
>  	    return 0;	/* unmodified config file */

 Same memset() is just off the patch here too.



More information about the Rpm-list mailing list