udev: fix buffer overflow in udev_event_apply_format()

author Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>

Sat, 16 Sep 2017 06:38:28 +0000 (08:38 +0200)

committer Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>

Sat, 16 Sep 2017 06:43:26 +0000 (08:43 +0200)
author Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Sat, 16 Sep 2017 06:38:28 +0000 (08:38 +0200)
committer Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Sat, 16 Sep 2017 06:43:26 +0000 (08:43 +0200)
diff --git a/src/udev/udev-event.c b/src/udev/udev-event.c

index 601f0ee..09f7baf 100644 (file)
--- a/src/udev/udev-event.c
+++ b/src/udev/udev-event.c
@@ -362,7 +362,7 @@ size_t udev_event_apply_format(struct udev_event *event,
                          }
  copy:
                          /* copy char */
-                        if (l == 0)
+                        if (l < 2) /* need space for this char and the terminating NUL */
                                  goto out;
                          s[0] = from[0];
                          from++;
@@ -377,12 +377,12 @@ subst:
                          unsigned int i;
  
                          from++;
-                        for (i = 0; from[i] != '}'; i++) {
+                        for (i = 0; from[i] != '}'; i++)
                                  if (from[i] == '\0') {
                                          log_error("missing closing brace for format '%s'", src);
                                          goto out;
                                  }
-                        }
+
                          if (i >= sizeof(attrbuf))
                                  goto out;
                          memcpy(attrbuf, from, i);
@@ -407,6 +407,7 @@ subst:
          }
  
  out:
+        assert(l >= 1);
          s[0] = '\0';
          return l;
  }
author	Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
	Sat, 16 Sep 2017 06:38:28 +0000 (08:38 +0200)
committer	Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
	Sat, 16 Sep 2017 06:43:26 +0000 (08:43 +0200)