]> git.ipfire.org Git - thirdparty/knot-resolver.git/commitdiff
projects / thirdparty / knot-resolver.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: b27acd9)
Fix -k argument processing to avoid out-of-bounds memory accesses
authorPetr Špaček <petr.spacek@nic.cz>
Fri, 3 Feb 2017 14:18:49 +0000 (15:18 +0100)
committerPetr Špaček <petr.spacek@nic.cz>
Tue, 7 Feb 2017 07:45:05 +0000 (08:45 +0100)
Mangling of keyfile_dir and allocation of keyfile_path led to rare
crashes (and Valgrind complaints).

The error was introduced in 21f3a6b9d0ed3b4ae05d4d1f1612f0f277235723.

daemon/main.c patch | blob | blame | history

diff --git a/daemon/main.c b/daemon/main.c
index 435a09275861ff8782edeb981aca0df23c3cd18b..7e2cf61e665ce6d513fd74951e762dea9f05da4d 100644 (file)
--- a/daemon/main.c
+++ b/daemon/main.c
@@ -640,17 +640,18 @@ int main(int argc, char **argv)
                char *_filename = basename(basename_storage);
                int dirlen = strlen(keyfile_dir);
                int namelen = strlen(_filename);
-               if (dirlen + namelen >= PATH_MAX) {
+               if (dirlen + 1 + namelen >= PATH_MAX) {
                        kr_log_error("[ ta ]: keyfile '%s' PATH_MAX exceeded\n",
                                     keyfile);
                        ret = EXIT_FAILURE;
                        goto cleanup;
                }
-               keyfile_dir[dirlen] = '/';
+               keyfile_dir[dirlen++] = '/';
+               keyfile_dir[dirlen] = '\0';
 
                auto_free char *keyfile_path = malloc(dirlen + namelen + 1);
-               memcpy(keyfile_path, keyfile_dir, dirlen + 1);
-               memcpy(keyfile_path + dirlen + 1, _filename, namelen + 1);
+               memcpy(keyfile_path, keyfile_dir, dirlen);
+               memcpy(keyfile_path + dirlen, _filename, namelen + 1);
 
                int unmanaged = 0;
 
Mirror of https://gitlab.nic.cz/knot/knot-resolver.git