From 77be531ce5554613fd3d88ff66ca43b211bb0a38 Mon Sep 17 00:00:00 2001 From: Tobias Stoeckmann Date: Sat, 25 Jun 2016 20:08:31 +0200 Subject: [PATCH] Properly terminate parsed environment values with '\0'. The function strncpy() does not guarantee to nul terminate the destination. In most cases, this cannot be triggered, but it is also used to parse user environment variables. These are allowed to be longer than 1023 characters, effectively resulting in an unterminated string. I've adjusted other places as well, because it won't hurt. --- va/va.c | 8 ++++++-- va/va_trace.c | 2 ++ 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/va/va.c b/va/va.c index cd88d67..b524fc7 100644 --- a/va/va.c +++ b/va/va.c @@ -74,8 +74,10 @@ int va_parseConfig(char *env, char *env_value) continue; if (strcmp(token, env) == 0) { - if (env_value) + if (env_value) { strncpy(env_value,value, 1024); + env_value[1023] = '\0'; + } fclose(fp); @@ -88,8 +90,10 @@ int va_parseConfig(char *env, char *env_value) /* no setting in config file, use env setting */ value = getenv(env); if (value) { - if (env_value) + if (env_value) { strncpy(env_value, value, 1024); + env_value[1023] = '\0'; + } return 0; } diff --git a/va/va_trace.c b/va/va_trace.c index a4b499f..0c01c85 100644 --- a/va/va_trace.c +++ b/va/va_trace.c @@ -546,6 +546,7 @@ static int open_tracing_specil_file( FILE *fp = NULL; strncpy(env_value, fn_env, 1024); + env_value[0] = '\0'; FILE_NAME_SUFFIX(env_value, 1024, "ctx-", (unsigned int)ptra_ctx->trace_context); @@ -594,6 +595,7 @@ static int open_tracing_log_file( char env_value[1024]; strncpy(env_value, pva_trace->fn_log_env, 1024); + env_value[1023] = '\0'; FILE_NAME_SUFFIX(env_value, 1024, "thd-", (unsigned int)thd_id); -- 2.9.0