Hi Rob, In function __readfile()__, the buffer __buf__ is free'd when __readall()__ fails. This __free__ can cause a crash, if the buffer passed by user of function is not __malloc'ed__ one.
__names_to_pid()__ is one usecase example here.
The patch takes care of the same.
diff -Naur a/lib/lib.c b/lib/lib.c
--- a/lib/lib.c 2014-04-29 16:33:17.000000000 +0530
+++ b/lib/lib.c 2014-05-02 16:14:27.194614098 +0530
@@ -323,9 +323,10 @@
// Read contents of file as a single nul-terminated string.
// malloc new one if buf=len=0
-char *readfile(char *name, char *buf, off_t len)
+char *readfile(char *name, char *ibuf, off_t len)
{
int fd;
+ char *buf;
fd = open(name, O_RDONLY);
if (fd == -1) return 0;
@@ -335,12 +336,13 @@
// proc files don't report a length, so try 1 page minimum.
if (len<4096) len = 4096;
}
- if (!buf) buf = xmalloc(len+1);
+ if (!ibuf) buf = xmalloc(len+1);
+ else buf = ibuf;
len = readall(fd, buf, len-1);
close(fd);
if (len<0) {
- free(buf);
+ if (ibuf != buf) free(buf);
buf = 0;
} else buf[len] = 0;
regards,
Ashwini
lib.c.patch
Description: Binary data
_______________________________________________ Toybox mailing list [email protected] http://lists.landley.net/listinfo.cgi/toybox-landley.net
