fix potential out-of-bounds reads

readlink(3) does not nul-terminate the result it sticks into the supplied buffer. Consequently, the code rc = readlink(path, buf, sizeof(buf)); does not necessarily produce a C string. The code in rc_find_pid() produces some C strings this way and passes them to strlen() and strcmp(), which can lead to an out-of-bounds read. In this case, since the code already takes care to zero-initialize the buffers before passing them to readlink(3), only allow sizeof(buf)-1 bytes to be returned. (While fixing this issue, I fixed two other locations that used the same problematic pattern.) This fixes #270.
2018-12-18 21:02:24 -08:00
parent a32b14bbb4
commit 846e460075
3 changed files with 4 additions and 4 deletions
--- a/src/rc/openrc-run.c
+++ b/src/rc/openrc-run.c
@@ -1152,7 +1152,7 @@ int main(int argc, char **argv)
 	}
 	lnk = xmalloc(4096);
 	memset(lnk, 0, 4096);
-	if (readlink(argv[1], lnk, 4096)) {
+	if (readlink(argv[1], lnk, 4096-1)) {
 		dir = dirname(path);
 		if (strchr(lnk, '/')) {
 			save = xstrdup(dir);