aboutsummaryrefslogtreecommitdiffstats
path: root/usr
diff options
context:
space:
mode:
authorMichal Nazarewicz2013-11-12 17:08:41 -0600
committerLinus Torvalds2013-11-12 21:09:12 -0600
commitc725ee54c30b34427cb8fa68d1fe8804aca6d400 (patch)
treeb455af08fbecb6a3f7ddf027cbc4b36d3865bf9e /usr
parent0ca43435188b9f911c8efcdf10731f726142dda1 (diff)
downloadlinux-phy-c725ee54c30b34427cb8fa68d1fe8804aca6d400.tar.gz
linux-phy-c725ee54c30b34427cb8fa68d1fe8804aca6d400.tar.xz
linux-phy-c725ee54c30b34427cb8fa68d1fe8804aca6d400.zip
gen_init_cpio: avoid NULL pointer dereference and rework env expanding
getenv() may return NULL if given environment variable does not exist which leads to NULL dereference when calling strncat. Besides that, the environment variable name was copied to a temporary env_var buffer, but this copying can be avoided by simply using the input string. Lastly, the whole loop can be greatly simplified by using the snprintf function instead of the playing with strncat. By the way, the current implementation allows a recursive variable expansion, as in: $ echo 'out ${A} out ' | A='a ${B} a' B=b /tmp/a out a b a out I'm assuming this is just a side effect and not a conscious decision (especially as this may lead to infinite loop), but I didn't want to change this behaviour without consulting. If the current behaviour is deamed incorrect, I'll be happy to send a patch without recursive processing. Signed-off-by: Michal Nazarewicz <mina86@mina86.com> Cc: Kees Cook <keescook@chromium.org> Cc: Jiri Kosina <jkosina@suse.cz> Cc: Jesper Juhl <jj@codesealer.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'usr')
-rw-r--r--usr/gen_init_cpio.c27
1 files changed, 9 insertions, 18 deletions
diff --git a/usr/gen_init_cpio.c b/usr/gen_init_cpio.c
index af8c925e93eb..225ad244cf88 100644
--- a/usr/gen_init_cpio.c
+++ b/usr/gen_init_cpio.c
@@ -382,24 +382,15 @@ error:
382static char *cpio_replace_env(char *new_location) 382static char *cpio_replace_env(char *new_location)
383{ 383{
384 char expanded[PATH_MAX + 1]; 384 char expanded[PATH_MAX + 1];
385 char env_var[PATH_MAX + 1]; 385 char *start, *end, *var;
386 char *start; 386
387 char *end; 387 while ((start = strstr(new_location, "${")) &&
388 388 (end = strchr(start + 2, '}'))) {
389 for (start = NULL; (start = strstr(new_location, "${")); ) { 389 *start = *end = 0;
390 end = strchr(start, '}'); 390 var = getenv(start + 2);
391 if (start < end) { 391 snprintf(expanded, sizeof expanded, "%s%s%s",
392 *env_var = *expanded = '\0'; 392 new_location, var ? var : "", end + 1);
393 strncat(env_var, start + 2, end - start - 2); 393 strcpy(new_location, expanded);
394 strncat(expanded, new_location, start - new_location);
395 strncat(expanded, getenv(env_var),
396 PATH_MAX - strlen(expanded));
397 strncat(expanded, end + 1,
398 PATH_MAX - strlen(expanded));
399 strncpy(new_location, expanded, PATH_MAX);
400 new_location[PATH_MAX] = 0;
401 } else
402 break;
403 } 394 }
404 395
405 return new_location; 396 return new_location;