[PATCH] squashfs: Fix heap corruption in sqfs_search_dir()
res needs to be large enough to store both strings rem and target, plus the path separator and the terminator. Currently the space for the path separator is not accounted, so the heap is corrupted by one byte.
Signed-off-by: Richard Weinberger richard@nod.at --- fs/squashfs/sqfs.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c index af7ff80a7b..b9314019b1 100644 --- a/fs/squashfs/sqfs.c +++ b/fs/squashfs/sqfs.c @@ -567,8 +567,11 @@ static int sqfs_search_dir(struct squashfs_dir_stream *dirs, char **token_list, ret = -ENOMEM; goto out; } - /* Concatenate remaining tokens and symlink's target */ - res = malloc(strlen(rem) + strlen(target) + 1); + /* + * Concatenate remaining tokens and symlink's target. + * Allocate enough space for rem, target, '/' and '\0'. + */ + res = malloc(strlen(rem) + strlen(target) + 2); if (!res) { ret = -ENOMEM; goto out;
Hi Richard,
richard@nod.at wrote on Fri, 2 Aug 2024 22:05:09 +0200:
res needs to be large enough to store both strings rem and target, plus the path separator and the terminator. Currently the space for the path separator is not accounted, so the heap is corrupted by one byte.
Mmm, subtle.
Reviewed-by: Miquel Raynal miquel.raynal@bootlin.com
Thanks for the fix! Miquèl
On Fri, 02 Aug 2024 22:05:09 +0200, Richard Weinberger wrote:
res needs to be large enough to store both strings rem and target, plus the path separator and the terminator. Currently the space for the path separator is not accounted, so the heap is corrupted by one byte.
Applied to u-boot/next, thanks!
participants (3)
-
Miquel Raynal -
Richard Weinberger -
Tom Rini