sfdisk: Avoid out of boundary read with readline

It is not guaranteed that the returned string of readline() actually
contains as many bytes as buf can contain.

If bufsz is larger than the allocated memory by readline, an out of
boundary read occurs and leads to undefined behaviour. Most likely
that will be a crash.

This can be reproduced when readline-support is compiled in and when
you directly enter "quit" and "n" (to not write changes back to disk)
when sfdisk was called with any given device.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>

diff --git a/disk-utils/sfdisk.c b/disk-utils/sfdisk.c
index 3911dda850fce941fbf0a3c50b81ca50e8b742bc..52ccc5251cfee59258c1fe8cc03cb792bc1c59e4 100644 (file)
--- a/disk-utils/sfdisk.c
+++ b/disk-utils/sfdisk.c
@@ -133,7 +133,9 @@ static int get_user_reply(const char *prompt, char *buf, size_t bufsz)
                p = readline(prompt);
                if (!p)
                        return 1;
-               memcpy(buf, p, bufsz);
+               strncpy(buf, p, bufsz);
+               if (bufsz != 0)
+                       buf[bufsz - 1] = '\0';
                free(p);
        } else
 #endif