mirror of
https://github.com/ipxe/ipxe
synced 2026-07-01 00:04:54 +03:00
[nfs] Fix off-by-one heap overflow in nfs_uri_symlink()
The length calculations in nfs_uri_symlink() omitted space for the NUL terminator, causing strcpy() to write one byte past the heap allocation. Signed-off-by: Theodore Riera <warsang@hotmail.com>
This commit is contained in:
committed by
Michael Brown
parent
e0a2ca984f
commit
ce6ad2be02
@@ -97,7 +97,7 @@ int nfs_uri_symlink ( struct nfs_uri *uri, const char *symlink ) {
|
|||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
|
|
||||||
len = strlen ( uri->lookup_pos ) + strlen ( symlink ) - \
|
len = strlen ( uri->lookup_pos ) + strlen ( symlink ) - \
|
||||||
strlen ( uri->mountpoint );
|
strlen ( uri->mountpoint ) + 1;
|
||||||
if ( ! ( new_path = malloc ( len * sizeof ( char ) ) ) )
|
if ( ! ( new_path = malloc ( len * sizeof ( char ) ) ) )
|
||||||
return -ENOMEM;
|
return -ENOMEM;
|
||||||
|
|
||||||
@@ -105,7 +105,7 @@ int nfs_uri_symlink ( struct nfs_uri *uri, const char *symlink ) {
|
|||||||
strcpy ( new_path + strlen ( new_path ), uri->lookup_pos );
|
strcpy ( new_path + strlen ( new_path ), uri->lookup_pos );
|
||||||
|
|
||||||
} else {
|
} else {
|
||||||
len = strlen ( uri->lookup_pos ) + strlen ( symlink );
|
len = strlen ( uri->lookup_pos ) + strlen ( symlink ) + 1;
|
||||||
if ( ! ( new_path = malloc ( len * sizeof ( char ) ) ) )
|
if ( ! ( new_path = malloc ( len * sizeof ( char ) ) ) )
|
||||||
return -ENOMEM;
|
return -ENOMEM;
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user