system/freebsd-src
system/freebsd-src
1
0
Fork 0
mirror of https://github.com/freebsd/freebsd-src synced 2024-07-22 10:48:02 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

h_resolv: Fix a buffer overflow in load().

Browse source 
fgetln() returns a pointer to an array of characters that is 'len'
characters long, not 'len + 1'.  While here, overwriting the contents
of the buffer returned by fgetln isn't really safe, so switch to using
getline() instead.

Note that these fixes are a subset of those applied to a
near-identical copy of this function in libc's resolv_test.c in commit
2afeaad315.

Reviewed by:	ngie
Reported by:	CHERI (buffer overflow)
Sponsored by:	DARPA
Differential Revision:	https://reviews.freebsd.org/D37886
This commit is contained in:
John Baldwin 2022-12-28 09:39:18 -08:00
parent 058ac3e806
commit d131218534
1 changed files with 5 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
contrib/netbsd-tests/lib/libpthread/h_resolv.c
View file

@ -73,18 +73,18 @@ static void
load(const char *fname)
{
FILE *fp;
size_t len;
size_t linecap;
char *line;
if ((fp = fopen(fname, "r")) == NULL)
err(1, "Cannot open `%s'", fname);
while ((line = fgetln(fp, &len)) != NULL) {
char c = line[len];
line = NULL;
linecap = 0;
while (getline(&line, &linecap, fp) >= 0) {
char *ptr;
line[len] = '\0';
for (ptr = strtok(line, WS); ptr; ptr = strtok(NULL, WS))
sl_add(hosts, strdup(ptr));
line[len] = c;
}
(void)fclose(fp);