From d3e6676f8f5fbd2fdd5ff9c9a64782277ffa3e48 Mon Sep 17 00:00:00 2001 From: Michal Nazarewicz Date: Tue, 12 Nov 2013 15:08:41 -0800 Subject: [PATCH] gen_init_cpio: avoid NULL pointer dereference and rework env expanding getenv() may return NULL if given environment variable does not exist which leads to NULL dereference when calling strncat. Besides that, the environment variable name was copied to a temporary env_var buffer, but this copying can be avoided by simply using the input string. Lastly, the whole loop can be greatly simplified by using the snprintf function instead of the playing with strncat. By the way, the current implementation allows a recursive variable expansion, as in: $ echo 'out ${A} out ' | A='a ${B} a' B=b /tmp/a out a b a out I'm assuming this is just a side effect and not a conscious decision (especially as this may lead to infinite loop), but I didn't want to change this behaviour without consulting. If the current behaviour is deamed incorrect, I'll be happy to send a patch without recursive processing. Signed-off-by: Michal Nazarewicz Cc: Kees Cook Cc: Jiri Kosina Cc: Jesper Juhl Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Change-Id: I575a65c6261288ffe5c1166dc40271fbbc4d11cf --- usr/gen_init_cpio.c | 27 +++++++++------------------ 1 file changed, 9 insertions(+), 18 deletions(-) diff --git a/usr/gen_init_cpio.c b/usr/gen_init_cpio.c index af8c925e93e..225ad244cf8 100644 --- a/usr/gen_init_cpio.c +++ b/usr/gen_init_cpio.c @@ -382,24 +382,15 @@ error: static char *cpio_replace_env(char *new_location) { char expanded[PATH_MAX + 1]; - char env_var[PATH_MAX + 1]; - char *start; - char *end; - - for (start = NULL; (start = strstr(new_location, "${")); ) { - end = strchr(start, '}'); - if (start < end) { - *env_var = *expanded = '\0'; - strncat(env_var, start + 2, end - start - 2); - strncat(expanded, new_location, start - new_location); - strncat(expanded, getenv(env_var), - PATH_MAX - strlen(expanded)); - strncat(expanded, end + 1, - PATH_MAX - strlen(expanded)); - strncpy(new_location, expanded, PATH_MAX); - new_location[PATH_MAX] = 0; - } else - break; + char *start, *end, *var; + + while ((start = strstr(new_location, "${")) && + (end = strchr(start + 2, '}'))) { + *start = *end = 0; + var = getenv(start + 2); + snprintf(expanded, sizeof expanded, "%s%s%s", + new_location, var ? var : "", end + 1); + strcpy(new_location, expanded); } return new_location; -- 2.20.1