* Stefan Hajnoczi (stefa...@redhat.com) wrote:
> On Wed, Oct 14, 2020 at 07:02:09PM +0100, Dr. David Alan Gilbert (git) wrote:
> > +static XattrMapEntry *parse_xattrmap_map(const char *rule,
> > + XattrMapEntry *map,
> > + size_t *nentries)
> > +{
> > + char sep = *rule++;
> > + const char *tmp;
> > + char *key;
> > + char *prefix;
> > + XattrMapEntry tmp_entry;
> > +
> > + /* At start of 'key' field */
> > + tmp = strchr(rule, sep);
>
> Missing sep == '\0' check. The strchr(3) man page says:
>
> The terminating null byte is considered part of the string, so that if
> c is specified as '\0', these functions return a pointer to the
> terminator.
>
> So the code in this patch will eventually access beyond the end of the
> string:
>
> rule = tmp + 1; <-- tmp is already at the NUL terminator
Ah yes, I've got the check in the main routine but not in the _map case;
OK I'll fix that up.
Dave
--
Dr. David Alan Gilbert / dgilb...@redhat.com / Manchester, UK
