tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

gen_init_cpio: avoid NULL pointer dereference and rework env expanding

getenv() may return NULL if given environment variable does not exist
which leads to NULL dereference when calling strncat.

Besides that, the environment variable name was copied to a temporary
env_var buffer, but this copying can be avoided by simply using the input
string.

Lastly, the whole loop can be greatly simplified by using the snprintf
function instead of the playing with strncat.

By the way, the current implementation allows a recursive variable
expansion, as in:

$ echo 'out ${A} out ' | A='a ${B} a' B=b /tmp/a
out a b a out

I'm assuming this is just a side effect and not a conscious decision
(especially as this may lead to infinite loop), but I didn't want to
change this behaviour without consulting.

If the current behaviour is deamed incorrect, I'll be happy to send
a patch without recursive processing.

Signed-off-by: Michal Nazarewicz <mina86@mina86.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Jiri Kosina <jkosina@suse.cz>
Cc: Jesper Juhl <jj@codesealer.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

authored by

Michal Nazarewicz and committed by
Linus Torvalds c725ee54 0ca43435

+8 -17
+8 -17
usr/gen_init_cpio.c
··· 382 382 static char *cpio_replace_env(char *new_location) 383 383 { 384 384 char expanded[PATH_MAX + 1]; 385 - char env_var[PATH_MAX + 1]; 386 - char *start; 387 - char *end; 385 + char *start, *end, *var; 388 386 389 - for (start = NULL; (start = strstr(new_location, "${")); ) { 390 - end = strchr(start, '}'); 391 - if (start < end) { 392 - *env_var = *expanded = '\0'; 393 - strncat(env_var, start + 2, end - start - 2); 394 - strncat(expanded, new_location, start - new_location); 395 - strncat(expanded, getenv(env_var), 396 - PATH_MAX - strlen(expanded)); 397 - strncat(expanded, end + 1, 398 - PATH_MAX - strlen(expanded)); 399 - strncpy(new_location, expanded, PATH_MAX); 400 - new_location[PATH_MAX] = 0; 401 - } else 402 - break; 387 + while ((start = strstr(new_location, "${")) && 388 + (end = strchr(start + 2, '}'))) { 389 + *start = *end = 0; 390 + var = getenv(start + 2); 391 + snprintf(expanded, sizeof expanded, "%s%s%s", 392 + new_location, var ? var : "", end + 1); 393 + strcpy(new_location, expanded); 403 394 } 404 395 405 396 return new_location;