diff options
author | Mike Frysinger <vapier@gentoo.org> | 2024-01-24 20:55:49 -0500 |
---|---|---|
committer | Mike Frysinger <vapier@gentoo.org> | 2024-01-24 20:55:49 -0500 |
commit | b5d34e577acb271cdc616b47b77569cb5577b9ef (patch) | |
tree | d1cdcd86428cdabfbed5d69cc20381cd8bbf6f73 | |
parent | pspax: replace proc_fopen with fopenat_r (diff) | |
download | pax-utils-b5d34e577acb271cdc616b47b77569cb5577b9ef.tar.gz pax-utils-b5d34e577acb271cdc616b47b77569cb5577b9ef.tar.bz2 pax-utils-b5d34e577acb271cdc616b47b77569cb5577b9ef.zip |
pspax: fix buffer limiting in cmdline reading
The current scanf format tries to use "%s.1023" to limit reading to 1023
bytes, but that doesn't actually work -- the maximum field width is between
the "%" and the "s", so it should have been "%1023s". This ends up working
anyways because the %s stops reading when it hits NUL or a space. Normally
cmdline is NUL delimited which means argv[0] would have to be 1024+ bytes
inorder to overflow this. Or the process rewrote its cmdline settings such
that argv[0] was that long. Certainly possible, but extremely unlikely.
Fix the scanf string to properly limit to 1023 bytes (+1 for the NUL).
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
-rw-r--r-- | pspax.c | 2 |
1 files changed, 1 insertions, 1 deletions
@@ -63,7 +63,7 @@ static const char *get_proc_name_cmdline(int pfd) if (fp == NULL) return NULL; - if (fscanf(fp, "%s.1023", str) != 1) { + if (fscanf(fp, "%1023s", str) != 1) { fclose(fp); return NULL; } |