diff options
author | Thierry Bultel <thierry.bultel@iot.bzh> | 2018-08-22 08:48:46 +0200 |
---|---|---|
committer | Romain Forlot <romain.forlot@iot.bzh> | 2018-12-13 15:02:55 +0100 |
commit | a373a141afbf997811de92cb4bce81622ccc2444 (patch) | |
tree | 3ef4a606be4a807506a9394b6481e8bd5019749f /ctl-lib/ctl-lua.c | |
parent | 2e1e2ac4a61784d9cfd072e824d4aafd1d2b2f2a (diff) |
ctl-lua: Fixed memory corruption
fixed a malloc random crash when loading the configuration files.
A write of one byte was done outside of an allocated area.
Namely, strncat always writes n+1 bytes, thus a best practice is to always
calculate n as this:
buffer_size-strlen(s)-1
Change-Id: Icb568f324d466fc6eef40c3e251ce6b8a7006d95
Signed-off-by: Thierry Bultel <thierry.bultel@iot.bzh>
Diffstat (limited to 'ctl-lib/ctl-lua.c')
-rw-r--r-- | ctl-lib/ctl-lua.c | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/ctl-lib/ctl-lua.c b/ctl-lib/ctl-lua.c index 87e27d0..1a2554c 100644 --- a/ctl-lib/ctl-lua.c +++ b/ctl-lib/ctl-lua.c @@ -1352,15 +1352,16 @@ int LuaConfigLoad(AFB_ApiT apiHandle, const char *prefix) { sep++; } - total_len = base_len + spath_len + token_nb * strlen(LUA_GLOB_PATTERN) + 1; - lua_str = malloc(total_len + 1); + /* allocate 2 extra bytes for the ending single quote + NULL char */ + total_len = base_len + spath_len + token_nb * strlen(LUA_GLOB_PATTERN) + 2; + lua_str = malloc(total_len); strncpy(lua_str, LUA_PATH_VALUE, total_len); for (i = 0; i < token_nb; i++) { sep = strsep(&spath, ":"); - strncat(lua_str, sep, total_len - strlen(lua_str)); - strncat(lua_str, LUA_GLOB_PATTERN, total_len - strlen(lua_str)); + strncat(lua_str, sep, total_len - strlen(lua_str) - 1); + strncat(lua_str, LUA_GLOB_PATTERN, total_len - strlen(lua_str) -1); } - strncat(lua_str, "'", 2); + strncat(lua_str, "'", total_len - strlen(lua_str) - 1); if(luaL_dostring(luaState, lua_str)) printf("Fail change package.path error=%s", lua_tostring(luaState, -1)); |