projects
/
project
/
luci.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
50ccdfc
)
contrib/lar: check for buffer overflows in lar_find_archive() and lar_find_member()
author
Jo-Philipp Wich
<jow@openwrt.org>
Mon, 6 Apr 2009 17:54:55 +0000
(17:54 +0000)
committer
Jo-Philipp Wich
<jow@openwrt.org>
Mon, 6 Apr 2009 17:54:55 +0000
(17:54 +0000)
contrib/lar/lar.c
patch
|
blob
|
history
diff --git
a/contrib/lar/lar.c
b/contrib/lar/lar.c
index
57a16e9
..
ad6cfc8
100644
(file)
--- a/
contrib/lar/lar.c
+++ b/
contrib/lar/lar.c
@@
-182,7
+182,12
@@
lar_archive * lar_find_archive( const char *package )
LAR_FNAME(buffer);
for( len = 0; package[len] != '\0'; len++ )
LAR_FNAME(buffer);
for( len = 0; package[len] != '\0'; len++ )
+ {
+ if( len >= sizeof(buffer) )
+ LAR_DIE("Package name exceeds maximum allowed length");
+
if( package[len] == '.' ) seg++;
if( package[len] == '.' ) seg++;
+ }
while( seg > 0 )
{
while( seg > 0 )
{
@@
-213,7
+218,12
@@
lar_member * lar_find_member( lar_archive *ar, const char *package )
LAR_FNAME(buffer);
for( len = 0; package[len] != '\0'; len++ )
LAR_FNAME(buffer);
for( len = 0; package[len] != '\0'; len++ )
+ {
+ if( len >= sizeof(buffer) )
+ LAR_DIE("Package name exceeds maximum allowed length");
+
buffer[len] = ( package[len] == '.' ) ? '/' : package[len];
buffer[len] = ( package[len] == '.' ) ? '/' : package[len];
+ }
buffer[len+0] = '.'; buffer[len+1] = 'l'; buffer[len+2] = 'u';
buffer[len+3] = 'a'; buffer[len+4] = '\0';
buffer[len+0] = '.'; buffer[len+1] = 'l'; buffer[len+2] = 'u';
buffer[len+3] = 'a'; buffer[len+4] = '\0';