[rpm PATCH] Fix unterminated buffer after readlink() call
James Antill
james at fedoraproject.org
Mon Oct 24 18:47:00 UTC 2011
On Fri, 2011-10-21 at 23:05 +0200, Thomas Jarosch wrote:
> readlink() never terminates the buffer.
>
> Detected by "cppcheck" (git HEAD)
Not that it's a terrible idea to make it more obvious, but these
weren't bugs...
> Signed-off-by: Thomas Jarosch <thomas.jarosch at intra2net.com>
> ---
> lib/rpmfi.c | 8 ++++++--
> 1 files changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/lib/rpmfi.c b/lib/rpmfi.c
> index e1e8fa9..6186d9f 100644
> --- a/lib/rpmfi.c
> +++ b/lib/rpmfi.c
[...]
memset(buffer, 0, sizeof(buffer));
if (dbWhat == REG) {
[...]
} else /* dbWhat == LINK */ {
const char * oFLink, * nFLink;
oFLink = rpmfiFLink(ofi);
if (diskWhat == LINK) {
if (readlink(fn, buffer, sizeof(buffer) - 1) == -1)
...so "buffer[sizeof(buffer) -1] == 0" already.
> @@ -661,8 +661,10 @@ rpmFileAction rpmfiDecideFate(const rpmfi ofi, rpmfi nfi, int skipMissing)
> const char * oFLink, * nFLink;
> oFLink = rpmfiFLink(ofi);
> if (diskWhat == LINK) {
> - if (readlink(fn, buffer, sizeof(buffer) - 1) == -1)
> + ssize_t link_len = readlink(fn, buffer, sizeof(buffer) - 1);
> + if (link_len == -1)
> return FA_CREATE; /* assume file has been removed */
> + buffer[link_len] = '\0';
> if (oFLink && rstreq(oFLink, buffer))
> return FA_CREATE; /* unmodified config file, replace. */
> }
> @@ -712,8 +714,10 @@ int rpmfiConfigConflict(const rpmfi fi)
> return 0; /* unmodified config file */
> } else /* newWhat == LINK */ {
> const char * nFLink;
> - if (readlink(fn, buffer, sizeof(buffer) - 1) == -1)
> + ssize_t link_len = readlink(fn, buffer, sizeof(buffer) - 1);
> + if (link_len == -1)
> return 0; /* assume file has been removed */
> + buffer[link_len] = '\0';
> nFLink = rpmfiFLink(fi);
> if (nFLink && rstreq(nFLink, buffer))
> return 0; /* unmodified config file */
Same memset() is just off the patch here too.
More information about the Rpm-list
mailing list