Skip to content

Commit

Permalink
librc: Use proper string length in file_regex.
Browse files Browse the repository at this point in the history 
Currently the code uses the total size of the buffer as the bounds for
looping \0 separated fields, which leads to reading uninitialized data
and possibly overrun the buffer during regexec.

Observed on musl while matching /proc/cpuinfo.
  • Loading branch information
@navi-desu @williamh
navi-desu authored and williamh committed Sep 18, 2024
1 parent 8cafbb7 commit 171ba6d
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions src/librc/librc.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -175,7 +175,7 @@ file_regex(const char *file, const char *regex)
{
FILE *fp;
char *line = NULL;
size_t len = 0;
size_t size = 0, len = 0;
regex_t re;
bool retval = true;
int result;
Expand All @@ -192,7 +192,7 @@ file_regex(const char *file, const char *regex)
return false;
}

while ((rc_getline(&line, &len, fp))) {
while ((len = rc_getline(&line, &size, fp))) {
char *str = line;
/* some /proc files have \0 separated content so we have to
loop through the 'line' */
Expand Down

0 comments on commit 171ba6d

Please sign in to comment.