aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlessio Balsini <balsini@android.com>2019-10-14 17:06:39 +0100
committerRob Landley <rob@landley.net>2019-10-14 15:28:28 -0500
commit0bcd6c10f7d227f335342bda8b2ffced785f2514 (patch)
treec555e8b7facdd3746902f65a75edfb06aed479eb
parent99eeaec65441a03d8b0b3003de6aeb6a1b5a741b (diff)
downloadtoybox-0bcd6c10f7d227f335342bda8b2ffced785f2514.tar.gz
losetup: Fix null-termination of src string instead of dest after copy
The function loopback_setup(), after copying the loopback device name with xstrncpy(), ensures the null-termination of the string by forcing its last byte to 0. Unfortunately, this operation: - was probably intended to null-terminate dest instead; - does not affect the program execution because src is free()d right after; - if the size of src is smaller than the offset of the written zero, it modifies an unknown byte in the heap. Drop the null-termination line to fix the issue: xstrcpy() automatically null-terminates dest, or fails if the size of src is bigger than the the requested number of bytes to copy. Signed-off-by: Alessio Balsini <balsini@android.com>
-rw-r--r--toys/other/losetup.c1
1 files changed, 0 insertions, 1 deletions
diff --git a/toys/other/losetup.c b/toys/other/losetup.c
index e73761a0..917e64ea 100644
--- a/toys/other/losetup.c
+++ b/toys/other/losetup.c
@@ -113,7 +113,6 @@ static int loopback_setup(char *device, char *file)
loop->lo_offset = TT.o;
loop->lo_sizelimit = TT.S;
xstrncpy((char *)loop->lo_file_name, s, LO_NAME_SIZE);
- s[LO_NAME_SIZE-1] = 0;
if (ioctl(lfd, LOOP_SET_STATUS64, loop)) perror_exit("%s=%s", device, file);
if (FLAG(s)) puts(device);
free(s);