diff options
| author | Petr Špaček <petr.spacek@nic.cz> | 2017-02-03 15:18:49 +0100 |
|---|---|---|
| committer | Petr Špaček <petr.spacek@nic.cz> | 2017-02-07 08:45:05 +0100 |
| commit | 3ddfc6093be6bc0b6f9567150e6e1247ddd0c0db (patch) | |
| tree | 5ea8b2a8afb7840c00f6960d6c45e956e6860a69 | |
| parent | Merge !192: doc build nitpicks (diff) | |
| download | knot-resolver-3ddfc6093be6bc0b6f9567150e6e1247ddd0c0db.tar.xz knot-resolver-3ddfc6093be6bc0b6f9567150e6e1247ddd0c0db.zip | |
Fix -k argument processing to avoid out-of-bounds memory accesses
Mangling of keyfile_dir and allocation of keyfile_path led to rare
crashes (and Valgrind complaints).
The error was introduced in 21f3a6b9d0ed3b4ae05d4d1f1612f0f277235723.
| -rw-r--r-- | daemon/main.c | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/daemon/main.c b/daemon/main.c index 435a0927..7e2cf61e 100644 --- a/daemon/main.c +++ b/daemon/main.c @@ -640,17 +640,18 @@ int main(int argc, char **argv) char *_filename = basename(basename_storage); int dirlen = strlen(keyfile_dir); int namelen = strlen(_filename); - if (dirlen + namelen >= PATH_MAX) { + if (dirlen + 1 + namelen >= PATH_MAX) { kr_log_error("[ ta ]: keyfile '%s' PATH_MAX exceeded\n", keyfile); ret = EXIT_FAILURE; goto cleanup; } - keyfile_dir[dirlen] = '/'; + keyfile_dir[dirlen++] = '/'; + keyfile_dir[dirlen] = '\0'; auto_free char *keyfile_path = malloc(dirlen + namelen + 1); - memcpy(keyfile_path, keyfile_dir, dirlen + 1); - memcpy(keyfile_path + dirlen + 1, _filename, namelen + 1); + memcpy(keyfile_path, keyfile_dir, dirlen); + memcpy(keyfile_path + dirlen, _filename, namelen + 1); int unmanaged = 0; |