[syslinux:elflink] module: Fix off-by-one error in findpath()

syslinux-bot for Matt Fleming matt.fleming at intel.com
Tue Nov 27 14:15:05 PST 2012


Commit-ID:  6f4575c2ad3950af53bcdfd40fe2cce6171179fe
Gitweb:     http://www.syslinux.org/commit/6f4575c2ad3950af53bcdfd40fe2cce6171179fe
Author:     Matt Fleming <matt.fleming at intel.com>
AuthorDate: Tue, 27 Nov 2012 16:25:37 +0000
Committer:  Matt Fleming <matt.fleming at intel.com>
CommitDate: Tue, 27 Nov 2012 21:09:44 +0000

module: Fix off-by-one error in findpath()

We need to make sure that 'path' still has enough space to write the
trailing NUL-byte. Without this patch it's possible to write a
NUL-byte past the end of the on-stack buffer.

Signed-off-by: Matt Fleming <matt.fleming at intel.com>

---
 com32/lib/sys/module/common.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/com32/lib/sys/module/common.c b/com32/lib/sys/module/common.c
index 30c57b4..dfbdf61 100644
--- a/com32/lib/sys/module/common.c
+++ b/com32/lib/sys/module/common.c
@@ -71,7 +71,7 @@ FILE *findpath(char *name)
 	p = PATH;
 again:
 	i = 0;
-	while (*p && *p != ':' && i < FILENAME_MAX) {
+	while (*p && *p != ':' && i < FILENAME_MAX - 1) {
 		path[i++] = *p++;
 	}
 
@@ -79,7 +79,7 @@ again:
 		p++;
 
 	n = name;
-	while (*n && i < FILENAME_MAX)
+	while (*n && i < FILENAME_MAX - 1)
 		path[i++] = *n++;
 	path[i] = '\0';
 


More information about the Syslinux-commits mailing list