summaryrefslogtreecommitdiffstats
path: root/ctl-lib/ctl-lua.c
diff options
context:
space:
mode:
authorThierry Bultel <thierry.bultel@iot.bzh>2018-08-22 08:48:46 +0200
committerRomain Forlot <romain.forlot@iot.bzh>2018-12-13 15:02:55 +0100
commita373a141afbf997811de92cb4bce81622ccc2444 (patch)
tree3ef4a606be4a807506a9394b6481e8bd5019749f /ctl-lib/ctl-lua.c
parent2e1e2ac4a61784d9cfd072e824d4aafd1d2b2f2a (diff)
ctl-lua: Fixed memory corruption
fixed a malloc random crash when loading the configuration files. A write of one byte was done outside of an allocated area. Namely, strncat always writes n+1 bytes, thus a best practice is to always calculate n as this: buffer_size-strlen(s)-1 Change-Id: Icb568f324d466fc6eef40c3e251ce6b8a7006d95 Signed-off-by: Thierry Bultel <thierry.bultel@iot.bzh>
Diffstat (limited to 'ctl-lib/ctl-lua.c')
-rw-r--r--ctl-lib/ctl-lua.c11
1 files changed, 6 insertions, 5 deletions
diff --git a/ctl-lib/ctl-lua.c b/ctl-lib/ctl-lua.c
index 87e27d0..1a2554c 100644
--- a/ctl-lib/ctl-lua.c
+++ b/ctl-lib/ctl-lua.c
@@ -1352,15 +1352,16 @@ int LuaConfigLoad(AFB_ApiT apiHandle, const char *prefix) {
sep++;
}
- total_len = base_len + spath_len + token_nb * strlen(LUA_GLOB_PATTERN) + 1;
- lua_str = malloc(total_len + 1);
+ /* allocate 2 extra bytes for the ending single quote + NULL char */
+ total_len = base_len + spath_len + token_nb * strlen(LUA_GLOB_PATTERN) + 2;
+ lua_str = malloc(total_len);
strncpy(lua_str, LUA_PATH_VALUE, total_len);
for (i = 0; i < token_nb; i++) {
sep = strsep(&spath, ":");
- strncat(lua_str, sep, total_len - strlen(lua_str));
- strncat(lua_str, LUA_GLOB_PATTERN, total_len - strlen(lua_str));
+ strncat(lua_str, sep, total_len - strlen(lua_str) - 1);
+ strncat(lua_str, LUA_GLOB_PATTERN, total_len - strlen(lua_str) -1);
}
- strncat(lua_str, "'", 2);
+ strncat(lua_str, "'", total_len - strlen(lua_str) - 1);
if(luaL_dostring(luaState, lua_str))
printf("Fail change package.path error=%s", lua_tostring(luaState, -1));