projects / GitHub / LineageOS / android_kernel_samsung_universal7580.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 4a3c7f4)
gen_init_cpio: avoid NULL pointer dereference and rework env expanding
authorMichal Nazarewicz <mina86@mina86.com>
Tue, 12 Nov 2013 23:08:41 +0000 (15:08 -0800)
committerDanny Wood <danwood76@gmail.com>
Fri, 8 Nov 2019 12:03:12 +0000 (12:03 +0000)
getenv() may return NULL if given environment variable does not exist
which leads to NULL dereference when calling strncat.

Besides that, the environment variable name was copied to a temporary
env_var buffer, but this copying can be avoided by simply using the input
string.

Lastly, the whole loop can be greatly simplified by using the snprintf
function instead of the playing with strncat.

 By the way, the current implementation allows a recursive variable
 expansion, as in:

   $ echo 'out ${A} out ' | A='a ${B} a' B=b /tmp/a
   out a b a out

 I'm assuming this is just a side effect and not a conscious decision
 (especially as this may lead to infinite loop), but I didn't want to
 change this behaviour without consulting.

 If the current behaviour is deamed incorrect, I'll be happy to send
 a patch without recursive processing.

Signed-off-by: Michal Nazarewicz <mina86@mina86.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Jiri Kosina <jkosina@suse.cz>
Cc: Jesper Juhl <jj@codesealer.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Change-Id: I575a65c6261288ffe5c1166dc40271fbbc4d11cf

usr/gen_init_cpio.c patch | blob | blame | history

diff --git a/usr/gen_init_cpio.c b/usr/gen_init_cpio.c
index af8c925e93ebd4536e41897c5fcfff10f3fffda8..225ad244cf8833371543c6fb3f0f2df8d54b48dc 100644 (file)
--- a/usr/gen_init_cpio.c
+++ b/usr/gen_init_cpio.c
@@ -382,24 +382,15 @@ error:
 static char *cpio_replace_env(char *new_location)
 {
        char expanded[PATH_MAX + 1];
-       char env_var[PATH_MAX + 1];
-       char *start;
-       char *end;
-
-       for (start = NULL; (start = strstr(new_location, "${")); ) {
-               end = strchr(start, '}');
-               if (start < end) {
-                       *env_var = *expanded = '\0';
-                       strncat(env_var, start + 2, end - start - 2);
-                       strncat(expanded, new_location, start - new_location);
-                       strncat(expanded, getenv(env_var),
-                               PATH_MAX - strlen(expanded));
-                       strncat(expanded, end + 1,
-                               PATH_MAX - strlen(expanded));
-                       strncpy(new_location, expanded, PATH_MAX);
-                       new_location[PATH_MAX] = 0;
-               } else
-                       break;
+       char *start, *end, *var;
+
+       while ((start = strstr(new_location, "${")) &&
+              (end = strchr(start + 2, '}'))) {
+               *start = *end = 0;
+               var = getenv(start + 2);
+               snprintf(expanded, sizeof expanded, "%s%s%s",
+                        new_location, var ? var : "", end + 1);
+               strcpy(new_location, expanded);
        }
 
        return new_location;