shared: util.c: fix buffer overflow in alias_normalize()

The while-loop inside the '[' case of alias_normalize() increments the
index 'i' without checking against PATH_MAX bounds. If the input string
contains an opening '[' followed by many characters without a closing ']',
the index can exceed PATH_MAX-1, causing a buffer overflow when writing
to buf[i].

Signed-off-by: Anton Moryakov <ant.v.moryakov@gmail.com>
Reviewed-by: Emil Velikov <emil.l.velikov@gmail.com>
Link: https://github.com/kmod-project/kmod/pull/431
Signed-off-by: Lucas De Marchi <demarchi@kernel.org>

diff --git a/shared/util.c b/shared/util.c
index 4e2736ddb5a4511ed1577a73154a3a373a365e8b..d4b025b7e39ece123f2e05d7a18c8e074ead299c 100644 (file)
--- a/shared/util.c
+++ b/shared/util.c
@@ -79,10 +79,12 @@ int alias_normalize(const char *alias, char buf[static PATH_MAX], size_t *len)
                case ']':
                        return -EINVAL;
                case '[':
-                       while (alias[i] != ']' && alias[i] != '\0') {
+                       while (i < PATH_MAX - 1 && alias[i] != ']' && alias[i] != '\0') {
                                buf[i] = alias[i];
                                i++;
                        }
+                       if (i >= PATH_MAX - 1)
+                               return -EINVAL;
 
                        if (alias[i] != ']')
                                return -EINVAL;