diff options
| author | Alessio Balsini <balsini@android.com> | 2019-10-14 17:06:39 +0100 |
|---|---|---|
| committer | Rob Landley <rob@landley.net> | 2019-10-14 15:28:28 -0500 |
| commit | 0bcd6c10f7d227f335342bda8b2ffced785f2514 (patch) | |
| tree | c555e8b7facdd3746902f65a75edfb06aed479eb | |
| parent | 99eeaec65441a03d8b0b3003de6aeb6a1b5a741b (diff) | |
| download | toybox-0bcd6c10f7d227f335342bda8b2ffced785f2514.tar.gz | |
losetup: Fix null-termination of src string instead of dest after copy
The function loopback_setup(), after copying the loopback device name
with xstrncpy(), ensures the null-termination of the string by forcing
its last byte to 0.
Unfortunately, this operation:
- was probably intended to null-terminate dest instead;
- does not affect the program execution because src is free()d right
after;
- if the size of src is smaller than the offset of the written zero, it
modifies an unknown byte in the heap.
Drop the null-termination line to fix the issue: xstrcpy() automatically
null-terminates dest, or fails if the size of src is bigger than the the
requested number of bytes to copy.
Signed-off-by: Alessio Balsini <balsini@android.com>
| -rw-r--r-- | toys/other/losetup.c | 1 |
1 files changed, 0 insertions, 1 deletions
diff --git a/toys/other/losetup.c b/toys/other/losetup.c index e73761a0..917e64ea 100644 --- a/toys/other/losetup.c +++ b/toys/other/losetup.c @@ -113,7 +113,6 @@ static int loopback_setup(char *device, char *file) loop->lo_offset = TT.o; loop->lo_sizelimit = TT.S; xstrncpy((char *)loop->lo_file_name, s, LO_NAME_SIZE); - s[LO_NAME_SIZE-1] = 0; if (ioctl(lfd, LOOP_SET_STATUS64, loop)) perror_exit("%s=%s", device, file); if (FLAG(s)) puts(device); free(s); |