From 0bcd6c10f7d227f335342bda8b2ffced785f2514 Mon Sep 17 00:00:00 2001 From: Alessio Balsini Date: Mon, 14 Oct 2019 17:06:39 +0100 Subject: losetup: Fix null-termination of src string instead of dest after copy The function loopback_setup(), after copying the loopback device name with xstrncpy(), ensures the null-termination of the string by forcing its last byte to 0. Unfortunately, this operation: - was probably intended to null-terminate dest instead; - does not affect the program execution because src is free()d right after; - if the size of src is smaller than the offset of the written zero, it modifies an unknown byte in the heap. Drop the null-termination line to fix the issue: xstrcpy() automatically null-terminates dest, or fails if the size of src is bigger than the the requested number of bytes to copy. Signed-off-by: Alessio Balsini --- toys/other/losetup.c | 1 - 1 file changed, 1 deletion(-) diff --git a/toys/other/losetup.c b/toys/other/losetup.c index e73761a0..917e64ea 100644 --- a/toys/other/losetup.c +++ b/toys/other/losetup.c @@ -113,7 +113,6 @@ static int loopback_setup(char *device, char *file) loop->lo_offset = TT.o; loop->lo_sizelimit = TT.S; xstrncpy((char *)loop->lo_file_name, s, LO_NAME_SIZE); - s[LO_NAME_SIZE-1] = 0; if (ioctl(lfd, LOOP_SET_STATUS64, loop)) perror_exit("%s=%s", device, file); if (FLAG(s)) puts(device); free(s); -- cgit v1.2.3