e2fsck: do not crash on long log file names

Previously e2fsck would corrupt memory if the log file name was longer
than 100 bytes (e.g., a long log_filename value in e2fsck.conf or a
pattern that expands out to more than 100 bytes).  This was due to
incorrectly calling realloc() in append_string() on the struct string
instead of the malloc'ed char* buffer, among other problems.  This
patch fixes the call to realloc() and also ensures that the buffer is
grown by sufficiently many bytes (not just by 2x).

Signed-off-by: Nickolai Zeldovich <nickolai@csail.mit.edu>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>

diff --git a/e2fsck/logfile.c b/e2fsck/logfile.c
index 9229fbf..c48b8eb 100644 (file)
--- a/e2fsck/logfile.c
+++ b/e2fsck/logfile.c
@@ -36,19 +36,25 @@ static void alloc_string(struct string *s, int len)
 
 static void append_string(struct string *s, const char *a, int len)
 {
+       int needlen;
+
        if (!len)
                len = strlen(a);
 
-       if (s->end + len >= s->len) {
-               char *n = realloc(s, s->len * 2);
+       needlen = s->end + len + 1;
+       if (needlen > s->len) {
+               char *n;
+
+               if (s->len * 2 > needlen)
+                       needlen = s->len * 2;
+               n = realloc(s->s, needlen);
 
                if (n) {
                        s->s = n;
-                       s->len = s->len * 2;
+                       s->len = needlen;
                } else {
-                       len = s->len - s->end - 1;
-                       if (len <= 0)
-                               return;
+                       /* Don't append if we ran out of memory */
+                       return;
                }
        }
        memcpy(s->s + s->end, a, len);