aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAshwini Sharma <ak.ashwini1981@gmail.com>2014-05-02 06:24:11 -0500
committerAshwini Sharma <ak.ashwini1981@gmail.com>2014-05-02 06:24:11 -0500
commit26b21882bfd8a3712614e94dde41a5194dda7aee (patch)
tree9f936f5381b9237fa8f5fc4baa553302c9916ded
parenta547cf11686a878d2fd1a42a05719b78903009ad (diff)
downloadtoybox-26b21882bfd8a3712614e94dde41a5194dda7aee.tar.gz
In function readfile(), the buffer buf is free'd when readall() fails. This free can cause a crash, if the buffer passed by user of function is not malloc'ed one.
names_to_pid() is one usecase example here.
-rw-r--r--lib/lib.c8
1 files changed, 5 insertions, 3 deletions
diff --git a/lib/lib.c b/lib/lib.c
index c1029d20..670f6a71 100644
--- a/lib/lib.c
+++ b/lib/lib.c
@@ -323,9 +323,10 @@ off_t fdlength(int fd)
// Read contents of file as a single nul-terminated string.
// malloc new one if buf=len=0
-char *readfile(char *name, char *buf, off_t len)
+char *readfile(char *name, char *ibuf, off_t len)
{
int fd;
+ char *buf;
fd = open(name, O_RDONLY);
if (fd == -1) return 0;
@@ -335,12 +336,13 @@ char *readfile(char *name, char *buf, off_t len)
// proc files don't report a length, so try 1 page minimum.
if (len<4096) len = 4096;
}
- if (!buf) buf = xmalloc(len+1);
+ if (!ibuf) buf = xmalloc(len+1);
+ else buf = ibuf;
len = readall(fd, buf, len-1);
close(fd);
if (len<0) {
- free(buf);
+ if (ibuf != buf) free(buf);
buf = 0;
} else buf[len] = 0;