From d236920b20fd70a139f8af2ff6f5c18d830be491 Mon Sep 17 00:00:00 2001
From: Anton Moryakov <ant.v.moryakov@gmail.com>
Date: Tue, 10 Mar 2026 19:07:15 +0300
Subject: [PATCH] shared: util.c: fix buffer overflow in alias_normalize()

The while-loop inside the '[' case of alias_normalize() increments the
index 'i' without checking against PATH_MAX bounds. If the input string
contains an opening '[' followed by many characters without a closing ']',
the index can exceed PATH_MAX-1, causing a buffer overflow when writing
to buf[i].

Signed-off-by: Anton Moryakov <ant.v.moryakov@gmail.com>
Reviewed-by: Emil Velikov <emil.l.velikov@gmail.com>
Link: https://github.com/kmod-project/kmod/pull/431
Signed-off-by: Lucas De Marchi <demarchi@kernel.org>
---
 shared/util.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/shared/util.c b/shared/util.c
index 4e2736dd..d4b025b7 100644
--- a/shared/util.c
+++ b/shared/util.c
@@ -79,10 +79,12 @@ int alias_normalize(const char *alias, char buf[static PATH_MAX], size_t *len)
 		case ']':
 			return -EINVAL;
 		case '[':
-			while (alias[i] != ']' && alias[i] != '\0') {
+			while (i < PATH_MAX - 1 && alias[i] != ']' && alias[i] != '\0') {
 				buf[i] = alias[i];
 				i++;
 			}
+			if (i >= PATH_MAX - 1)
+                		return -EINVAL;
 
 			if (alias[i] != ']')
 				return -EINVAL;
-- 
2.47.3