Package: attr / 1:2.4.48-4

0009-attr_list-attr_listf-Guard-against-unterminated-buff.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
From cb4786f1b6eb694545541bef89f942b00c2ff022 Mon Sep 17 00:00:00 2001
From: Andreas Gruenbacher <agruenba@redhat.com>
Date: Mon, 17 Dec 2018 14:38:26 +0100
Subject: [PATCH 9/9] attr_list, attr_listf: Guard against unterminated buffer

attr_list and attr_listf can crash when the listxattr, llistxattr, or
flistxattr syscalls incorrectly return an unterminated buffer.  Guard
against that by always appending a null character.
---
 libattr/libattr.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/libattr/libattr.c b/libattr/libattr.c
index 8180c3f..d550e10 100644
--- a/libattr/libattr.c
+++ b/libattr/libattr.c
@@ -290,7 +290,7 @@ attr_list(const char *path, char *buffer, const int buffersize, int flags,
 {
 	const char *l;
 	int length, vlength, count = 0;
-	char lbuf[MAXLISTLEN];
+	char lbuf[MAXLISTLEN+1];
 	char name[MAXNAMELEN+16];
 	int start_offset, end_offset;
 
@@ -301,11 +301,12 @@ attr_list(const char *path, char *buffer, const int buffersize, int flags,
 	bzero(buffer, sizeof(attrlist_t));
 
 	if (flags & ATTR_DONTFOLLOW)
-		length = llistxattr(path, lbuf, sizeof(lbuf));
+		length = llistxattr(path, lbuf, sizeof(lbuf) - 1);
 	else
-		length = listxattr(path, lbuf, sizeof(lbuf));
+		length = listxattr(path, lbuf, sizeof(lbuf) - 1);
 	if (length <= 0)
 		return length;
+	lbuf[length] = 0;  /* not supposed to be necessary */
 
 	start_offset = sizeof(attrlist_t);
 	end_offset = buffersize & ~(8-1);	/* 8 byte align */
@@ -340,7 +341,7 @@ attr_listf(int fd, char *buffer, const int buffersize, int flags,
 {
 	const char *l;
 	int length, vlength, count = 0;
-	char lbuf[MAXLISTLEN];
+	char lbuf[MAXLISTLEN+1];
 	char name[MAXNAMELEN+16];
 	int start_offset, end_offset;
 
@@ -350,9 +351,10 @@ attr_listf(int fd, char *buffer, const int buffersize, int flags,
 	}
 	bzero(buffer, sizeof(attrlist_t));
 
-	length = flistxattr(fd, lbuf, sizeof(lbuf));
+	length = flistxattr(fd, lbuf, sizeof(lbuf) - 1);
 	if (length < 0)
 		return length;
+	lbuf[length] = 0;  /* not supposed to be necessary */
 
 	start_offset = sizeof(attrlist_t);
 	end_offset = buffersize & ~(8-1);	/* 8 byte align */
-- 
2.21.0.rc2.261.ga7da99ff1b