From 1517fd276e12cac14c018d5a30792177eb6c59de Mon Sep 17 00:00:00 2001 From: Tobias Stoeckmann Date: Sat, 25 Jun 2016 20:08:31 +0200 Subject: [PATCH] Properly terminate parsed environment values with '\0'. The function strncpy() does not guarantee to nul terminate the destination. In most cases, this cannot be triggered, but it is also used to parse user environment variables. These are allowed to be longer than 1023 characters, effectively resulting in an unterminated string. I've adjusted other places as well, because it won't hurt. https://bugs.freedesktop.org/show_bug.cgi?id=96677 --- va/va.c | 8 ++++++-- va/va_trace.c | 2 ++ 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/va/va.c b/va/va.c index cd88d67..b524fc7 100644 --- a/va/va.c +++ b/va/va.c @@ -74,8 +74,10 @@ int va_parseConfig(char *env, char *env_value) continue; if (strcmp(token, env) == 0) { - if (env_value) + if (env_value) { strncpy(env_value,value, 1024); + env_value[1023] = '\0'; + } fclose(fp); @@ -88,8 +90,10 @@ int va_parseConfig(char *env, char *env_value) /* no setting in config file, use env setting */ value = getenv(env); if (value) { - if (env_value) + if (env_value) { strncpy(env_value, value, 1024); + env_value[1023] = '\0'; + } return 0; } diff --git a/va/va_trace.c b/va/va_trace.c index 96c076c..13fc6d2 100644 --- a/va/va_trace.c +++ b/va/va_trace.c @@ -546,6 +546,7 @@ static int open_tracing_specil_file( FILE *fp = NULL; strncpy(env_value, fn_env, 1024); + env_value[1023] = '\0'; FILE_NAME_SUFFIX(env_value, 1024, "ctx-", (unsigned int)ptra_ctx->trace_context); @@ -594,6 +595,7 @@ static int open_tracing_log_file( char env_value[1024]; strncpy(env_value, pva_trace->fn_log_env, 1024); + env_value[1023] = '\0'; FILE_NAME_SUFFIX(env_value, 1024, "thd-", (unsigned int)thd_id); -- 2.11.0