[PATCH] gen_init_cpio: avoid NULL pointer dereference and rework env expanding

From: Michal Nazarewicz
Date: Mon Nov 04 2013 - 05:21:47 EST

Next message: Justin Piszcz: "3.12: raid-1 mismatch_cnt question"
Previous message: Kamil Debski: "RE: [PATCH RFC 1/4] phy: Add new Exynos5 USB 3.0 PHY driver"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Michal Nazarewicz <mina86@xxxxxxxxxx>

genenv functian may return NULL if given environment variable does not
exist which leads to NULL dereference when calling strncat.

Besides that, the environment variable name was copied to a temporary
env_var buffer, but this copying can be avoided by simply using the
input string.

Lastly, the whole loop can be greatly simplified by using the snprintf
function instead of the playing with strncat.

Signed-off-by: Michal Nazarewicz <mina86@xxxxxxxxxx>
---
By the way, the current implementation allows a recursive variable
expansion, as in:

$ echo 'out ${A} out ' | A='a ${B} a' B=b /tmp/a
out a b a out

I'm assuming this is just a side effect and not a concious decision
(especially as this may lead to infinite loop), but I didn't want to
change this behaviour without consulting.

If the current behaviour is deamed incorrect, I'll be happy to send
a patch without recursive processing.

usr/gen_init_cpio.c | 27 +++++++++------------------
1 file changed, 9 insertions(+), 18 deletions(-)

diff --git a/usr/gen_init_cpio.c b/usr/gen_init_cpio.c
index af8c925..225ad24 100644
--- a/usr/gen_init_cpio.c
+++ b/usr/gen_init_cpio.c
@@ -382,24 +382,15 @@ error:
static char *cpio_replace_env(char *new_location)
{
char expanded[PATH_MAX + 1];
- char env_var[PATH_MAX + 1];
- char *start;
- char *end;
-
- for (start = NULL; (start = strstr(new_location, "${")); ) {
- end = strchr(start, '}');
- if (start < end) {
- *env_var = *expanded = '\0';
- strncat(env_var, start + 2, end - start - 2);
- strncat(expanded, new_location, start - new_location);
- strncat(expanded, getenv(env_var),
- PATH_MAX - strlen(expanded));
- strncat(expanded, end + 1,
- PATH_MAX - strlen(expanded));
- strncpy(new_location, expanded, PATH_MAX);
- new_location[PATH_MAX] = 0;
- } else
- break;
+ char *start, *end, *var;
+
+ while ((start = strstr(new_location, "${")) &&
+ (end = strchr(start + 2, '}'))) {
+ *start = *end = 0;
+ var = getenv(start + 2);
+ snprintf(expanded, sizeof expanded, "%s%s%s",
+ new_location, var ? var : "", end + 1);
+ strcpy(new_location, expanded);
}

return new_location;
--
1.8.4.1

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Justin Piszcz: "3.12: raid-1 mismatch_cnt question"
Previous message: Kamil Debski: "RE: [PATCH RFC 1/4] phy: Add new Exynos5 USB 3.0 PHY driver"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]