git: d13121853497 - main - h_resolv: Fix a buffer overflow in load().
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 28 Dec 2022 17:40:05 UTC
The branch main has been updated by jhb:
URL: https://cgit.FreeBSD.org/src/commit/?id=d131218534977f1b2ed590380e70d59a3b20b333
commit d131218534977f1b2ed590380e70d59a3b20b333
Author: John Baldwin <jhb@FreeBSD.org>
AuthorDate: 2022-12-28 17:39:18 +0000
Commit: John Baldwin <jhb@FreeBSD.org>
CommitDate: 2022-12-28 17:39:18 +0000
h_resolv: Fix a buffer overflow in load().
fgetln() returns a pointer to an array of characters that is 'len'
characters long, not 'len + 1'. While here, overwriting the contents
of the buffer returned by fgetln isn't really safe, so switch to using
getline() instead.
Note that these fixes are a subset of those applied to a
near-identical copy of this function in libc's resolv_test.c in commit
2afeaad315ac19450389b8f2befdbe7c91c37818.
Reviewed by: ngie
Reported by: CHERI (buffer overflow)
Sponsored by: DARPA
Differential Revision: https://reviews.freebsd.org/D37886
---
contrib/netbsd-tests/lib/libpthread/h_resolv.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/contrib/netbsd-tests/lib/libpthread/h_resolv.c b/contrib/netbsd-tests/lib/libpthread/h_resolv.c
index 9c5fedcc2e7f..d8756de96d23 100644
--- a/contrib/netbsd-tests/lib/libpthread/h_resolv.c
+++ b/contrib/netbsd-tests/lib/libpthread/h_resolv.c
@@ -73,18 +73,18 @@ static void
load(const char *fname)
{
FILE *fp;
- size_t len;
+ size_t linecap;
char *line;
if ((fp = fopen(fname, "r")) == NULL)
err(1, "Cannot open `%s'", fname);
- while ((line = fgetln(fp, &len)) != NULL) {
- char c = line[len];
+ line = NULL;
+ linecap = 0;
+ while (getline(&line, &linecap, fp) >= 0) {
char *ptr;
- line[len] = '\0';
+
for (ptr = strtok(line, WS); ptr; ptr = strtok(NULL, WS))
sl_add(hosts, strdup(ptr));
- line[len] = c;
}
(void)fclose(fp);