diff options
author | Thomas Osterried <ax25@x-berg.in-berlin.de> | 2021-02-03 15:27:28 +0100 |
---|---|---|
committer | Thomas Osterried <ax25@x-berg.in-berlin.de> | 2021-02-03 15:27:28 +0100 |
commit | f7e4a620aaa061bca62c2cef7dd508157e482c68 (patch) | |
tree | faff44408a321e4d957bf0f37f252e8a73ca2364 | |
parent | b17ff362f5e006faa87174608e663153aa5fb007 (diff) |
This fixes a bug in ttyutils.c for tty_is_locked, tty_lock() and tty_unlock()
for very long path names, i.e.
kissattach /dev/serial/by-id/usb-FTDI_usb_serial_converter_FTCAWZIA-if00-port
0 tnc
-> Segmentation fault
because buffer[50] was not only too short; the length was also not checked.
Thanks to David KI6ZHD for reporting this bug.
Signed-off-by: Thomas Osterried <ax25@x-berg.in-berlin.de>
-rw-r--r-- | ttyutils.c | 19 |
1 files changed, 13 insertions, 6 deletions
@@ -4,6 +4,7 @@ #include <unistd.h> #include <fcntl.h> #include <signal.h> +#include <limits.h> #include <netax25/ttyutils.h> #include "pathnames.h" @@ -100,7 +101,7 @@ int tty_speed(int fd, int speed) int tty_is_locked(char *tty) { - char buffer[50], *s; + char buffer[PATH_MAX], *s; FILE *fp; int pid = 0; @@ -109,7 +110,9 @@ int tty_is_locked(char *tty) else s = tty; - sprintf(buffer, "%s/LCK..%s", LOCK_SERIAL_DIR, s); + memset(buffer, 0, sizeof(buffer)); + sprintf(buffer, "%s/LCK..", LOCK_SERIAL_DIR); + strncat(buffer+strlen(buffer), s, sizeof(buffer)-strlen(buffer)-1); if ((fp = fopen(buffer, "r")) == NULL) return FALSE; @@ -129,7 +132,7 @@ int tty_is_locked(char *tty) int tty_lock(char *tty) { - char buffer[50], *s; + char buffer[PATH_MAX], *s; FILE *fp; if ((s = strrchr(tty, '/')) != NULL) @@ -137,7 +140,9 @@ int tty_lock(char *tty) else s = tty; - sprintf(buffer, "%s/LCK..%s", LOCK_SERIAL_DIR, s); + memset(buffer, 0, sizeof(buffer)); + sprintf(buffer, "%s/LCK..", LOCK_SERIAL_DIR); + strncat(buffer+strlen(buffer), s, sizeof(buffer)-strlen(buffer)-1); if ((fp = fopen(buffer, "w")) == NULL) return FALSE; @@ -151,14 +156,16 @@ int tty_lock(char *tty) int tty_unlock(char *tty) { - char buffer[50], *s; + char buffer[PATH_MAX], *s; if ((s = strrchr(tty, '/')) != NULL) s++; else s = tty; - sprintf(buffer, "%s/LCK..%s", LOCK_SERIAL_DIR, s); + memset(buffer, 0, sizeof(buffer)); + sprintf(buffer, "%s/LCK..", LOCK_SERIAL_DIR); + strncat(buffer+strlen(buffer), s, sizeof(buffer)-strlen(buffer)-1); return unlink(buffer) == 0; } |