diff options
author | Denis Vlasenko | 2008-03-24 00:04:42 +0000 |
---|---|---|
committer | Denis Vlasenko | 2008-03-24 00:04:42 +0000 |
commit | 0b6c6a9c9f555a33d681290cce77510460457c03 (patch) | |
tree | 0d5f95c0cc0a2f6945aa97fa50266e8b8288da75 /libbb | |
parent | a79428998d76c1758ca12546e5db945a0cd64518 (diff) | |
download | busybox-0b6c6a9c9f555a33d681290cce77510460457c03.zip busybox-0b6c6a9c9f555a33d681290cce77510460457c03.tar.gz |
lpd: fix OOM vulnerability (was eating arbitrarily large commands)
Diffstat (limited to 'libbb')
-rw-r--r-- | libbb/read.c | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/libbb/read.c b/libbb/read.c index 5754465..9c025e3 100644 --- a/libbb/read.c +++ b/libbb/read.c @@ -152,13 +152,14 @@ char *reads(int fd, char *buffer, size_t size) // Read one line a-la fgets. Reads byte-by-byte. // Useful when it is important to not read ahead. // Bytes are appended to pfx (which must be malloced, or NULL). -char *xmalloc_reads(int fd, char *buf) +char *xmalloc_reads(int fd, char *buf, size_t *maxsz_p) { char *p; - int sz = buf ? strlen(buf) : 0; + size_t sz = buf ? strlen(buf) : 0; + size_t maxsz = maxsz_p ? *maxsz_p : MAXINT(size_t); goto jump_in; - while (1) { + while (sz < maxsz) { if (p - buf == sz) { jump_in: buf = xrealloc(buf, sz + 128); @@ -178,6 +179,8 @@ char *xmalloc_reads(int fd, char *buf) p++; } *p++ = '\0'; + if (maxsz_p) + *maxsz_p = p - buf - 1; return xrealloc(buf, p - buf); } |