diff options
| author | Ryan Mallon | 2014-01-09 19:14:07 +0100 |
|---|---|---|
| committer | Denys Vlasenko | 2014-01-09 19:15:16 +0100 |
| commit | 89deb22f9745e145fdbb4fbe985cfa9e20e90024 (patch) | |
| tree | 3205c4004d321fddd0ad6dc4eba80bebd6e87afa | |
| parent | 16ca379b55eb5dc1cacfaabf4ca026c49fb516bd (diff) | |
| download | busybox-89deb22f9745e145fdbb4fbe985cfa9e20e90024.zip busybox-89deb22f9745e145fdbb4fbe985cfa9e20e90024.tar.gz | |
fakeidentd: fix use-after-free
function old new delta
do_rd 199 197 -2
Signed-off-by: Ryan Mallon <rmallon@gmail.com>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
| -rw-r--r-- | networking/isrv_identd.c | 25 |
1 files changed, 12 insertions, 13 deletions
diff --git a/networking/isrv_identd.c b/networking/isrv_identd.c index a41405c..c6b0f65 100644 --- a/networking/isrv_identd.c +++ b/networking/isrv_identd.c @@ -51,19 +51,18 @@ static int do_rd(int fd, void **paramp) { identd_buf_t *buf = *paramp; char *cur, *p; - int retval = 0; /* session is ok (so far) */ int sz; cur = buf->buf + buf->pos; if (buf->fd_flag & O_NONBLOCK) fcntl(fd, F_SETFL, buf->fd_flag); - sz = safe_read(fd, cur, sizeof(buf->buf) - buf->pos); + sz = safe_read(fd, cur, sizeof(buf->buf) - 1 - buf->pos); if (sz < 0) { if (errno != EAGAIN) - goto term; /* terminate this session if !EAGAIN */ - goto ok; + goto term; + return 0; /* "session is ok" */ } buf->pos += sz; @@ -71,19 +70,19 @@ static int do_rd(int fd, void **paramp) p = strpbrk(cur, "\r\n"); if (p) *p = '\0'; - if (!p && sz && buf->pos <= (int)sizeof(buf->buf)) - goto ok; + if (!p && sz && buf->pos < (int)sizeof(buf->buf)) + return 0; /* "session is ok" */ + /* Terminate session. If we are in server mode, then * fd is still in nonblocking mode - we never block here */ - if (fd == 0) fd++; /* inetd mode? then write to fd 1 */ + if (fd == 0) + fd++; /* inetd mode? then write to fd 1 */ fdprintf(fd, "%s : USERID : UNIX : %s\r\n", buf->buf, bogouser); - term: - free(buf); - retval = 1; /* terminate */ - ok: if (buf->fd_flag & O_NONBLOCK) fcntl(fd, F_SETFL, buf->fd_flag & ~O_NONBLOCK); - return retval; + term: + free(buf); + return 1; /* "terminate" */ } static int do_timeout(void **paramp UNUSED_PARAM) @@ -120,7 +119,7 @@ int fakeidentd_main(int argc UNUSED_PARAM, char **argv) opt = getopt32(argv, "fiwb:", &bind_address); strcpy(bogouser, "nobody"); if (argv[optind]) - strncpy(bogouser, argv[optind], sizeof(bogouser)); + strncpy(bogouser, argv[optind], sizeof(bogouser) - 1); /* Daemonize if no -f and no -i and no -w */ if (!(opt & OPT_fiw)) |