]>
Commit | Line | Data |
---|---|---|
1c771352 WB |
1 | From b0363f4c0e91671064dd7ffece8a6923c8dcaf20 Mon Sep 17 00:00:00 2001 |
2 | From: Prasad J Pandit <pjp@fedoraproject.org> | |
3 | Date: Thu, 17 Dec 2015 17:47:15 +0530 | |
4 | Subject: [PATCH] hmp: avoid redundant null termination of buffer | |
5 | ||
6 | When processing 'sendkey' command, hmp_sendkey routine null | |
7 | terminates the 'keyname_buf' array. This results in an OOB write | |
8 | issue, if 'keyname_len' was to fall outside of 'keyname_buf' array. | |
9 | Removed the redundant null termination, as pstrcpy routine already | |
10 | null terminates the target buffer. | |
11 | ||
12 | Reported-by: Ling Liu <liuling-it@360.cn> | |
13 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | |
14 | --- | |
15 | hmp.c | 2 -- | |
16 | 1 file changed, 2 deletions(-) | |
17 | ||
18 | diff --git a/hmp.c b/hmp.c | |
19 | index 2140605..e530c9c 100644 | |
20 | --- a/hmp.c | |
21 | +++ b/hmp.c | |
22 | @@ -1746,9 +1746,7 @@ void hmp_sendkey(Monitor *mon, const QDict *qdict) | |
23 | /* Be compatible with old interface, convert user inputted "<" */ | |
24 | if (!strncmp(keyname_buf, "<", 1) && keyname_len == 1) { | |
25 | pstrcpy(keyname_buf, sizeof(keyname_buf), "less"); | |
26 | - keyname_len = 4; | |
27 | } | |
28 | - keyname_buf[keyname_len] = 0; | |
29 | ||
30 | keylist = g_malloc0(sizeof(*keylist)); | |
31 | keylist->value = g_malloc0(sizeof(*keylist->value)); | |
32 | -- | |
33 | 2.4.3 | |
34 | === |