From 3ddfc6093be6bc0b6f9567150e6e1247ddd0c0db Mon Sep 17 00:00:00 2001 From: =?utf8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Fri, 3 Feb 2017 15:18:49 +0100 Subject: [PATCH] Fix -k argument processing to avoid out-of-bounds memory accesses Mangling of keyfile_dir and allocation of keyfile_path led to rare crashes (and Valgrind complaints). The error was introduced in 21f3a6b9d0ed3b4ae05d4d1f1612f0f277235723. --- daemon/main.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/daemon/main.c b/daemon/main.c index 435a09275..7e2cf61e6 100644 --- a/daemon/main.c +++ b/daemon/main.c @@ -640,17 +640,18 @@ int main(int argc, char **argv) char *_filename = basename(basename_storage); int dirlen = strlen(keyfile_dir); int namelen = strlen(_filename); - if (dirlen + namelen >= PATH_MAX) { + if (dirlen + 1 + namelen >= PATH_MAX) { kr_log_error("[ ta ]: keyfile '%s' PATH_MAX exceeded\n", keyfile); ret = EXIT_FAILURE; goto cleanup; } - keyfile_dir[dirlen] = '/'; + keyfile_dir[dirlen++] = '/'; + keyfile_dir[dirlen] = '\0'; auto_free char *keyfile_path = malloc(dirlen + namelen + 1); - memcpy(keyfile_path, keyfile_dir, dirlen + 1); - memcpy(keyfile_path + dirlen + 1, _filename, namelen + 1); + memcpy(keyfile_path, keyfile_dir, dirlen); + memcpy(keyfile_path + dirlen, _filename, namelen + 1); int unmanaged = 0; -- 2.47.2