diff options
| author | Denis Vlasenko <vda.linux@googlemail.com> | 2008-03-24 00:04:42 +0000 |
|---|---|---|
| committer | Denis Vlasenko <vda.linux@googlemail.com> | 2008-03-24 00:04:42 +0000 |
| commit | 0b6c6a9c9f555a33d681290cce77510460457c03 (patch) | |
| tree | 0d5f95c0cc0a2f6945aa97fa50266e8b8288da75 /libbb | |
| parent | a79428998d76c1758ca12546e5db945a0cd64518 (diff) | |
| download | busybox-w32-0b6c6a9c9f555a33d681290cce77510460457c03.tar.gz busybox-w32-0b6c6a9c9f555a33d681290cce77510460457c03.tar.bz2 busybox-w32-0b6c6a9c9f555a33d681290cce77510460457c03.zip | |
lpd: fix OOM vulnerability (was eating arbitrarily large commands)
Diffstat (limited to 'libbb')
| -rw-r--r-- | libbb/read.c | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/libbb/read.c b/libbb/read.c index 575446536..9c025e3a3 100644 --- a/libbb/read.c +++ b/libbb/read.c | |||
| @@ -152,13 +152,14 @@ char *reads(int fd, char *buffer, size_t size) | |||
| 152 | // Read one line a-la fgets. Reads byte-by-byte. | 152 | // Read one line a-la fgets. Reads byte-by-byte. |
| 153 | // Useful when it is important to not read ahead. | 153 | // Useful when it is important to not read ahead. |
| 154 | // Bytes are appended to pfx (which must be malloced, or NULL). | 154 | // Bytes are appended to pfx (which must be malloced, or NULL). |
| 155 | char *xmalloc_reads(int fd, char *buf) | 155 | char *xmalloc_reads(int fd, char *buf, size_t *maxsz_p) |
| 156 | { | 156 | { |
| 157 | char *p; | 157 | char *p; |
| 158 | int sz = buf ? strlen(buf) : 0; | 158 | size_t sz = buf ? strlen(buf) : 0; |
| 159 | size_t maxsz = maxsz_p ? *maxsz_p : MAXINT(size_t); | ||
| 159 | 160 | ||
| 160 | goto jump_in; | 161 | goto jump_in; |
| 161 | while (1) { | 162 | while (sz < maxsz) { |
| 162 | if (p - buf == sz) { | 163 | if (p - buf == sz) { |
| 163 | jump_in: | 164 | jump_in: |
| 164 | buf = xrealloc(buf, sz + 128); | 165 | buf = xrealloc(buf, sz + 128); |
| @@ -178,6 +179,8 @@ char *xmalloc_reads(int fd, char *buf) | |||
| 178 | p++; | 179 | p++; |
| 179 | } | 180 | } |
| 180 | *p++ = '\0'; | 181 | *p++ = '\0'; |
| 182 | if (maxsz_p) | ||
| 183 | *maxsz_p = p - buf - 1; | ||
| 181 | return xrealloc(buf, p - buf); | 184 | return xrealloc(buf, p - buf); |
| 182 | } | 185 | } |
| 183 | 186 | ||