diff options
author | Ashwini Sharma <ak.ashwini1981@gmail.com> | 2014-05-02 06:24:11 -0500 |
---|---|---|
committer | Ashwini Sharma <ak.ashwini1981@gmail.com> | 2014-05-02 06:24:11 -0500 |
commit | 26b21882bfd8a3712614e94dde41a5194dda7aee (patch) | |
tree | 9f936f5381b9237fa8f5fc4baa553302c9916ded /lib | |
parent | a547cf11686a878d2fd1a42a05719b78903009ad (diff) | |
download | toybox-26b21882bfd8a3712614e94dde41a5194dda7aee.tar.gz |
In function readfile(), the buffer buf is free'd when readall() fails. This free can cause a crash, if the buffer passed by user of function is not malloc'ed one.
names_to_pid() is one usecase example here.
Diffstat (limited to 'lib')
-rw-r--r-- | lib/lib.c | 8 |
1 files changed, 5 insertions, 3 deletions
@@ -323,9 +323,10 @@ off_t fdlength(int fd) // Read contents of file as a single nul-terminated string. // malloc new one if buf=len=0 -char *readfile(char *name, char *buf, off_t len) +char *readfile(char *name, char *ibuf, off_t len) { int fd; + char *buf; fd = open(name, O_RDONLY); if (fd == -1) return 0; @@ -335,12 +336,13 @@ char *readfile(char *name, char *buf, off_t len) // proc files don't report a length, so try 1 page minimum. if (len<4096) len = 4096; } - if (!buf) buf = xmalloc(len+1); + if (!ibuf) buf = xmalloc(len+1); + else buf = ibuf; len = readall(fd, buf, len-1); close(fd); if (len<0) { - free(buf); + if (ibuf != buf) free(buf); buf = 0; } else buf[len] = 0; |