lpd: fix OOM vulnerability (was eating arbitrarily large commands)

author: Denis Vlasenko <vda.linux@googlemail.com> 2008-03-24 00:04:42 +0000
committer: Denis Vlasenko <vda.linux@googlemail.com> 2008-03-24 00:04:42 +0000
commit: 0b6c6a9c9f555a33d681290cce77510460457c03 (patch)
tree: 0d5f95c0cc0a2f6945aa97fa50266e8b8288da75 /libbb/read.c
parent: a79428998d76c1758ca12546e5db945a0cd64518 (diff)
download: busybox-0b6c6a9c9f555a33d681290cce77510460457c03.tar.gz
1 files changed, 6 insertions, 3 deletions
diff --git a/libbb/read.c b/libbb/read.c
index 575446536..9c025e3a3 100644
--- a/libbb/read.c
+++ b/libbb/read.c
@@ -152,13 +152,14 @@ char *reads(int fd, char *buffer, size_t size)
 // Read one line a-la fgets. Reads byte-by-byte.
 // Useful when it is important to not read ahead.
 // Bytes are appended to pfx (which must be malloced, or NULL).
-char *xmalloc_reads(int fd, char *buf)
+char *xmalloc_reads(int fd, char *buf, size_t *maxsz_p)
 {
 	char *p;
-	int sz = buf ? strlen(buf) : 0;
+	size_t sz = buf ? strlen(buf) : 0;
+	size_t maxsz = maxsz_p ? *maxsz_p : MAXINT(size_t);
 
 	goto jump_in;
-	while (1) {
+	while (sz < maxsz) {
 		if (p - buf == sz) {
  jump_in:
 			buf = xrealloc(buf, sz + 128);
@@ -178,6 +179,8 @@ char *xmalloc_reads(int fd, char *buf)
 		p++;
 	}
 	*p++ = '\0';
+	if (maxsz_p)
+		*maxsz_p  = p - buf - 1;
 	return xrealloc(buf, p - buf);
 }
author	Denis Vlasenko <vda.linux@googlemail.com>	2008-03-24 00:04:42 +0000
committer	Denis Vlasenko <vda.linux@googlemail.com>	2008-03-24 00:04:42 +0000
commit	0b6c6a9c9f555a33d681290cce77510460457c03 (patch)
tree	0d5f95c0cc0a2f6945aa97fa50266e8b8288da75 /libbb/read.c
parent	a79428998d76c1758ca12546e5db945a0cd64518 (diff)
download	busybox-0b6c6a9c9f555a33d681290cce77510460457c03.tar.gz