The function strncpy() does not guarantee to nul terminate the
destination. In most cases, this cannot be triggered, but it is also
used to parse user environment variables. These are allowed to be longer
than 1023 characters, effectively resulting in an unterminated string.
I've adjusted other places as well, because it won't hurt.
https://bugs.freedesktop.org/show_bug.cgi?id=96677
continue;
if (strcmp(token, env) == 0) {
- if (env_value)
+ if (env_value) {
strncpy(env_value,value, 1024);
+ env_value[1023] = '\0';
+ }
fclose(fp);
/* no setting in config file, use env setting */
value = getenv(env);
if (value) {
- if (env_value)
+ if (env_value) {
strncpy(env_value, value, 1024);
+ env_value[1023] = '\0';
+ }
return 0;
}
FILE *fp = NULL;
strncpy(env_value, fn_env, 1024);
+ env_value[1023] = '\0';
FILE_NAME_SUFFIX(env_value, 1024,
"ctx-", (unsigned int)ptra_ctx->trace_context);
char env_value[1024];
strncpy(env_value, pva_trace->fn_log_env, 1024);
+ env_value[1023] = '\0';
FILE_NAME_SUFFIX(env_value, 1024,
"thd-", (unsigned int)thd_id);