From: Thomas Egerer Date: Thu, 27 Feb 2014 08:45:08 +0000 (+0100) Subject: settings: Avoid conf file parsing beyond allocated buffer X-Git-Tag: 5.1.3dr1~24 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7acdebf6c072b30cd91873d95143e184cf4663f0;p=thirdparty%2Fstrongswan.git settings: Avoid conf file parsing beyond allocated buffer A valgrind analysis of libstrongswan revealed an invalid read of 1 in the function starts_with(). A more thorough analysis proved this to be true and showed that with a specially crafted config file (e.g. a single '#'-character not followed by a newline), the parser might even interpret the random memory contents following the allocated buffer as part of the configuration file. The way the parser is designed, it must be able to skip an inserted '\0' and continue parsing. Since it is not able to skip two '\0' characters, the 'fix' of allocating two more bytes than the size of the parsed file and setting them to '\0' seems to be a safe bet. Signed-off-by: Thomas Egerer --- diff --git a/src/libstrongswan/utils/settings.c b/src/libstrongswan/utils/settings.c index 490490a1e8..a76287b01b 100644 --- a/src/libstrongswan/utils/settings.c +++ b/src/libstrongswan/utils/settings.c @@ -1244,8 +1244,8 @@ static bool parse_file(linked_list_t *contents, char *file, int level, fseek(fd, 0, SEEK_END); len = ftell(fd); rewind(fd); - text = malloc(len + 1); - text[len] = '\0'; + text = malloc(len + 2); + text[len] = text[len + 1] = '\0'; if (fread(text, 1, len, fd) != len) { free(text);