Let remote_tempdir() assume a NUL-terminated name

This is the case already. We also fix a buffer overflow opportunity in the memcpy() call by this change.
2026-01-09 22:36:17 +00:00 · 2019-04-18 16:06:04 +02:00 · 2019-04-18 16:06:04 +02:00 · 1699bf4e29
commit 1699bf4e29
parent 4aa460891e
5 changed files with 10 additions and 11 deletions
--- a/lib/ipc_int.h
+++ b/lib/ipc_int.h
@ -207,6 +207,6 @@ int32_t qb_ipc_us_sock_error_is_disconnected(int err);

 int use_filesystem_sockets(void);

-void remove_tempdir(const char *name, size_t namelen);
+void remove_tempdir(const char *name);

 #endif /* QB_IPC_INT_H_DEFINED */
--- a/lib/ipc_setup.c
+++ b/lib/ipc_setup.c
@ -904,16 +904,15 @@ retry_accept:
 	return 0;
 }

-void remove_tempdir(const char *name, size_t namelen)
+void remove_tempdir(const char *name)
 {
 #if defined(QB_LINUX) || defined(QB_CYGWIN)
 	char dirname[PATH_MAX];
-	char *slash;
-	memcpy(dirname, name, namelen);
+	char *slash = strrchr(name, '/');

-	slash = strrchr(dirname, '/');
-	if (slash) {
-		*slash = '\0';
+	if (slash && slash - name < sizeof dirname) {
+		memcpy(dirname, name, slash - name);
+		dirname[slash - name] = '\0';
 		/* This gets called more than it needs to be really, so we don't check
 		 * the return code. It's more of a desperate attempt to clean up after ourself
 		 * in either the server or client.
--- a/lib/ipc_shm.c
+++ b/lib/ipc_shm.c
@ -240,7 +240,7 @@ qb_ipcs_shm_disconnect(struct qb_ipcs_connection *c)
 		}
 	}

-	remove_tempdir(c->description, CONNECTION_DESCRIPTION);
+	remove_tempdir(c->description);
 }

 static int32_t
--- a/lib/ipc_socket.c
+++ b/lib/ipc_socket.c
@ -376,7 +376,7 @@ qb_ipcc_us_disconnect(struct qb_ipcc_connection *c)
 	}

 	/* Last-ditch attempt to tidy up after ourself */
-	remove_tempdir(c->request.u.us.shared_file_name, PATH_MAX);
+	remove_tempdir(c->request.u.us.shared_file_name);

 	qb_ipcc_us_sock_close(c->event.u.us.sock);
 	qb_ipcc_us_sock_close(c->request.u.us.sock);
@ -772,7 +772,7 @@ qb_ipcs_us_disconnect(struct qb_ipcs_connection *c)


 	}
-	remove_tempdir(c->description, CONNECTION_DESCRIPTION);
+	remove_tempdir(c->description);
 }

 static int32_t
--- a/lib/ipcs.c
+++ b/lib/ipcs.c
@ -642,7 +642,7 @@ qb_ipcs_disconnect(struct qb_ipcs_connection *c)
 				scheduled_retry = 1;
 			}
 		}
-		remove_tempdir(c->description, CONNECTION_DESCRIPTION);
+		remove_tempdir(c->description);
 		if (scheduled_retry == 0) {
 			/* This removes the initial alloc ref */
 			qb_ipcs_connection_unref(c);