From 6dd83548f4193f8bfd7983240471db0d0c7af626 Mon Sep 17 00:00:00 2001 From: Nickolai Zeldovich Date: Tue, 8 Jan 2013 15:31:18 -0500 Subject: [PATCH] e2fsck: do not crash on long log file names Previously e2fsck would corrupt memory if the log file name was longer than 100 bytes (e.g., a long log_filename value in e2fsck.conf or a pattern that expands out to more than 100 bytes). This was due to incorrectly calling realloc() in append_string() on the struct string instead of the malloc'ed char* buffer, among other problems. This patch fixes the call to realloc() and also ensures that the buffer is grown by sufficiently many bytes (not just by 2x). Signed-off-by: Nickolai Zeldovich Signed-off-by: "Theodore Ts'o" --- e2fsck/logfile.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/e2fsck/logfile.c b/e2fsck/logfile.c index 9229fbf..c48b8eb 100644 --- a/e2fsck/logfile.c +++ b/e2fsck/logfile.c @@ -36,19 +36,25 @@ static void alloc_string(struct string *s, int len) static void append_string(struct string *s, const char *a, int len) { + int needlen; + if (!len) len = strlen(a); - if (s->end + len >= s->len) { - char *n = realloc(s, s->len * 2); + needlen = s->end + len + 1; + if (needlen > s->len) { + char *n; + + if (s->len * 2 > needlen) + needlen = s->len * 2; + n = realloc(s->s, needlen); if (n) { s->s = n; - s->len = s->len * 2; + s->len = needlen; } else { - len = s->len - s->end - 1; - if (len <= 0) - return; + /* Don't append if we ran out of memory */ + return; } } memcpy(s->s + s->end, a, len); -- 1.8.3.1