path: root/com32/elflink
diff options
authorMatt Fleming <matt.fleming@intel.com>2012-03-07 15:18:51 +0000
committerMatt Fleming <matt.fleming@intel.com>2012-03-23 16:56:16 +0000
commit2fb06e3ff4cad75633c78f56f99b4b3e3652b633 (patch)
tree67152777af6c4fee41982b07b21e959a726fe254 /com32/elflink
parentdb63acbdcd3603bbd42238dac19902ce00fe5d59 (diff)
ldlinux: Avoid initialised data memory corruption
We can't realloc() 'PATH' because realloc() may just extend the malloc'd region if the adjacent region is free, as opposed to allocating a new region and then copying the data. This behaviour is fine in most circumstances but not with initialised string data, such as 'PATH'. The reason is that other string data pointers may point to characters in 'PATH' and if we modify it after realloc()'ing, we'll appear to corrupt unrelated string data. For example, the string "/" is used in chdir() and the address of that string is the last "/" in 'PATH'. If we realloc() and then append "foo" to 'PATH' the string pointer in chdir() will now point to "/foo". Initialise 'PATH' at runtime using malloc() and free() to avoid corrupting string data. Signed-off-by: Matt Fleming <matt.fleming@intel.com>
Diffstat (limited to 'com32/elflink')
1 files changed, 2 insertions, 1 deletions
diff --git a/com32/elflink/ldlinux/readconfig.c b/com32/elflink/ldlinux/readconfig.c
index 573d7246..4f7a4d22 100644
--- a/com32/elflink/ldlinux/readconfig.c
+++ b/com32/elflink/ldlinux/readconfig.c
@@ -1315,12 +1315,13 @@ do_include:
new_path = refstrdup(skipspace(p + 4));
len = strlen(PATH);
new_len = strlen(new_path);
- _p = realloc(PATH, len + new_len + 2);
+ _p = malloc(len + new_len + 2);
if (_p) {
strncpy(_p, PATH, len);
_p[len++] = ':';
strncpy(_p + len, new_path, new_len);
_p[len + new_len] = '\0';
+ free(PATH);
PATH = _p;
} else
eprintf("Failed to realloc PATH\n");