From: Jo-Philipp Wich Date: Fri, 21 Dec 2018 07:50:36 +0000 (+0100) Subject: file: rpc_file_exec_run: fix potential memory leak and integer overflow X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=e5243c16eb214d2f6a2008ca4f15c4eb3ec6682c;p=project%2Frpcd.git file: rpc_file_exec_run: fix potential memory leak and integer overflow - Store the realloc result in a separate pointer so that we can free the original on allocation failure - Use an explicit uint8_t for the argument vector length instead of "char" which might be signed or unsigned, depending on the arch - Bail out with an invalid argument error if the argument vector exceeds 255 items Signed-off-by: Jo-Philipp Wich --- diff --git a/file.c b/file.c index 4882598..04be608 100644 --- a/file.c +++ b/file.c @@ -20,6 +20,7 @@ #include #include #include +#include #include #include #include @@ -326,7 +327,7 @@ static int rpc_file_md5(struct ubus_context *ctx, struct ubus_object *obj, struct ubus_request_data *req, const char *method, struct blob_attr *msg) -{ +{ int rv, i; char *path; struct stat s; @@ -606,8 +607,8 @@ rpc_file_exec_run(const char *cmd, int rem; struct blob_attr *cur; - char arglen; - char **args; + uint8_t arglen; + char **args, **tmp; struct rpc_file_exec_context *c; @@ -657,11 +658,22 @@ rpc_file_exec_run(const char *cmd, if (blobmsg_type(cur) != BLOBMSG_TYPE_STRING) continue; + if (arglen == 255) + { + free(args); + return UBUS_STATUS_INVALID_ARGUMENT; + } + arglen++; + tmp = realloc(args, sizeof(char *) * arglen); - if (!(args = realloc(args, sizeof(char *) * arglen))) + if (!tmp) + { + free(args); return UBUS_STATUS_UNKNOWN_ERROR; + } + args = tmp; args[arglen-2] = blobmsg_data(cur); args[arglen-1] = NULL; }