Commit e5243c16 authored by Jo-Philipp Wich's avatar Jo-Philipp Wich

file: rpc_file_exec_run: fix potential memory leak and integer overflow

 - Store the realloc result in a separate pointer so that we can free
   the original on allocation failure
 - Use an explicit uint8_t for the argument vector length instead of
   "char" which might be signed or unsigned, depending on the arch
 - Bail out with an invalid argument error if the argument vector
   exceeds 255 items
Signed-off-by: default avatarJo-Philipp Wich <jo@mein.io>
parent 3aa81d0d
......@@ -20,6 +20,7 @@
#include <fcntl.h>
#include <errno.h>
#include <unistd.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include <limits.h>
......@@ -326,7 +327,7 @@ static int
rpc_file_md5(struct ubus_context *ctx, struct ubus_object *obj,
struct ubus_request_data *req, const char *method,
struct blob_attr *msg)
{
{
int rv, i;
char *path;
struct stat s;
......@@ -606,8 +607,8 @@ rpc_file_exec_run(const char *cmd,
int rem;
struct blob_attr *cur;
char arglen;
char **args;
uint8_t arglen;
char **args, **tmp;
struct rpc_file_exec_context *c;
......@@ -657,11 +658,22 @@ rpc_file_exec_run(const char *cmd,
if (blobmsg_type(cur) != BLOBMSG_TYPE_STRING)
continue;
if (arglen == 255)
{
free(args);
return UBUS_STATUS_INVALID_ARGUMENT;
}
arglen++;
tmp = realloc(args, sizeof(char *) * arglen);
if (!(args = realloc(args, sizeof(char *) * arglen)))
if (!tmp)
{
free(args);
return UBUS_STATUS_UNKNOWN_ERROR;
}
args = tmp;
args[arglen-2] = blobmsg_data(cur);
args[arglen-1] = NULL;
}
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment