diff options
author | Nickolai Zeldovich <nickolai@csail.mit.edu> | 2013-01-08 15:31:18 -0500 |
---|---|---|
committer | Theodore Ts'o <tytso@mit.edu> | 2013-01-08 20:36:48 -0500 |
commit | 6dd83548f4193f8bfd7983240471db0d0c7af626 (patch) | |
tree | 9613991d3d9004358cd592ff80b5d2c1d53bc23f | |
parent | bf50beb9f6b4c4d4c9f8fc7fc81d716a9ee79218 (diff) | |
download | e2fsprogs-6dd83548f4193f8bfd7983240471db0d0c7af626.tar.gz e2fsprogs-6dd83548f4193f8bfd7983240471db0d0c7af626.tar.xz e2fsprogs-6dd83548f4193f8bfd7983240471db0d0c7af626.zip |
e2fsck: do not crash on long log file names
Previously e2fsck would corrupt memory if the log file name was longer
than 100 bytes (e.g., a long log_filename value in e2fsck.conf or a
pattern that expands out to more than 100 bytes). This was due to
incorrectly calling realloc() in append_string() on the struct string
instead of the malloc'ed char* buffer, among other problems. This
patch fixes the call to realloc() and also ensures that the buffer is
grown by sufficiently many bytes (not just by 2x).
Signed-off-by: Nickolai Zeldovich <nickolai@csail.mit.edu>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
-rw-r--r-- | e2fsck/logfile.c | 18 |
1 files changed, 12 insertions, 6 deletions
diff --git a/e2fsck/logfile.c b/e2fsck/logfile.c index 9229fbf9..c48b8eb8 100644 --- a/e2fsck/logfile.c +++ b/e2fsck/logfile.c @@ -36,19 +36,25 @@ static void alloc_string(struct string *s, int len) static void append_string(struct string *s, const char *a, int len) { + int needlen; + if (!len) len = strlen(a); - if (s->end + len >= s->len) { - char *n = realloc(s, s->len * 2); + needlen = s->end + len + 1; + if (needlen > s->len) { + char *n; + + if (s->len * 2 > needlen) + needlen = s->len * 2; + n = realloc(s->s, needlen); if (n) { s->s = n; - s->len = s->len * 2; + s->len = needlen; } else { - len = s->len - s->end - 1; - if (len <= 0) - return; + /* Don't append if we ran out of memory */ + return; } } memcpy(s->s + s->end, a, len); |