proxmox-mirrors/mirror_iproute2
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_iproute2 synced 2025-10-10 16:43:20 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

utils: fix makeargs stack overflow

Browse Source 
The makeargs() function did not handle end of string correctly
and would reference past end of string.

Found by fuzzing with ASAN.

Reported-by:Bug Basher <iamliketohack@gmail.com>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
This commit is contained in:
Stephen Hemminger 2017-12-18 11:10:53 -08:00
parent 5073581835
commit bd9cea5d8c
1 changed files with 16 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
lib/utils.c
View File

@ -1206,10 +1206,16 @@ ssize_t getcmdline(char **linep, size_t *lenp, FILE *in)
int makeargs(char *line, char *argv[], int maxargs)
{
static const char ws[] = " \t\r\n";
char *cp;
char *cp = line;
int argc = 0;
for (cp = line + strspn(line, ws); *cp; cp += strspn(cp, ws)) {
while (*cp) {
/* skip leading whitespace */
cp += strspn(cp, ws);
if (*cp == '\0')
break;
if (argc >= (maxargs - 1)) {
fprintf(stderr, "Too many arguments to command\n");
exit(1);
@ -1226,13 +1232,16 @@ int makeargs(char *line, char *argv[], int maxargs)
fprintf(stderr, "Unterminated quoted string\n");
exit(1);
}
*cp++ = 0;
continue;
} else {
argv[argc++] = cp;
/* find end of word */
cp += strcspn(cp, ws);
if (*cp == '\0')
break;
}
argv[argc++] = cp;
/* find end of word */
cp += strcspn(cp, ws);
/* seperate words */
*cp++ = 0;
}
argv[argc] = NULL;