blob: 8cb7fb2a54d3b6dc6b7ada0853fde3dd24919204 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
From 679b71ec4d852037fe5f73d35bf557b0f406c8d4 Mon Sep 17 00:00:00 2001
From: Oliver Kiddle <okiddle@yahoo.co.uk>
Date: Sat, 24 Mar 2018 15:02:41 +0100
Subject: [PATCH] 42518, CVE-2018-1071: check bounds when copying path in
hashcmd()
diff --git a/Src/exec.c b/Src/exec.c
index 35b0bb191..e154d1249 100644
--- a/Src/exec.c
+++ b/Src/exec.c
@@ -920,7 +920,7 @@ hashcmd(char *arg0, char **pp)
for (; *pp; pp++)
if (**pp == '/') {
s = buf;
- strucpy(&s, *pp);
+ struncpy(&s, *pp, PATH_MAX);
*s++ = '/';
if ((s - buf) + strlen(arg0) >= PATH_MAX)
continue;
diff --git a/Src/utils.c b/Src/utils.c
index 3b589aa35..998b16220 100644
--- a/Src/utils.c
+++ b/Src/utils.c
@@ -2283,10 +2283,10 @@ struncpy(char **s, char *t, int n)
{
char *u = *s;
- while (n--)
- *u++ = *t++;
+ while (n-- && (*u++ = *t++));
*s = u;
- *u = '\0';
+ if (n > 0) /* just one null-byte will do, unlike strncpy(3) */
+ *u = '\0';
}
/* Return the number of elements in an array of pointers. *
|
