From: Anton Moryakov <ant.v.moryakov@gmail.com>
Date: Tue, 10 Mar 2026 16:07:15 +0000 (+0300)
Subject: shared: util.c: fix buffer overflow in alias_normalize()
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=HEAD;p=thirdparty%2Fkmod.git

shared: util.c: fix buffer overflow in alias_normalize()

The while-loop inside the '[' case of alias_normalize() increments the
index 'i' without checking against PATH_MAX bounds. If the input string
contains an opening '[' followed by many characters without a closing ']',
the index can exceed PATH_MAX-1, causing a buffer overflow when writing
to buf[i].

Signed-off-by: Anton Moryakov <ant.v.moryakov@gmail.com>
Reviewed-by: Emil Velikov <emil.l.velikov@gmail.com>
Link: https://github.com/kmod-project/kmod/pull/431
Signed-off-by: Lucas De Marchi <demarchi@kernel.org>
---

diff --git a/shared/util.c b/shared/util.c
index 4e2736dd..d4b025b7 100644
--- a/shared/util.c
+++ b/shared/util.c
@@ -79,10 +79,12 @@ int alias_normalize(const char *alias, char buf[static PATH_MAX], size_t *len)
 		case ']':
 			return -EINVAL;
 		case '[':
-			while (alias[i] != ']' && alias[i] != '\0') {
+			while (i < PATH_MAX - 1 && alias[i] != ']' && alias[i] != '\0') {
 				buf[i] = alias[i];
 				i++;
 			}
+			if (i >= PATH_MAX - 1)
+                		return -EINVAL;
 
 			if (alias[i] != ']')
 				return -EINVAL;