From a6fb1ce79dba98c01678561236e9364bedc02b38 Mon Sep 17 00:00:00 2001 From: Tobias Stoeckmann Date: Sun, 17 Feb 2019 22:55:29 +0100 Subject: sfdisk: Avoid out of boundary read with readline It is not guaranteed that the returned string of readline() actually contains as many bytes as buf can contain. If bufsz is larger than the allocated memory by readline, an out of boundary read occurs and leads to undefined behaviour. Most likely that will be a crash. This can be reproduced when readline-support is compiled in and when you directly enter "quit" and "n" (to not write changes back to disk) when sfdisk was called with any given device. Signed-off-by: Tobias Stoeckmann --- disk-utils/sfdisk.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'disk-utils') diff --git a/disk-utils/sfdisk.c b/disk-utils/sfdisk.c index 3911dda85..52ccc5251 100644 --- a/disk-utils/sfdisk.c +++ b/disk-utils/sfdisk.c @@ -133,7 +133,9 @@ static int get_user_reply(const char *prompt, char *buf, size_t bufsz) p = readline(prompt); if (!p) return 1; - memcpy(buf, p, bufsz); + strncpy(buf, p, bufsz); + if (bufsz != 0) + buf[bufsz - 1] = '\0'; free(p); } else #endif -- cgit v1.2.3-55-g7522