From 11b8f9be20fa7cea7105b4b2526e0dffe764c5d2 Mon Sep 17 00:00:00 2001 From: Vincent Penquerc'h Date: Sun, 29 Dec 2013 07:06:26 -0500 Subject: [PATCH] vm-file-editor: fix potential buffer overflow If we're being sent something without a zero byte, we could happily read off the end of the buffer. Interestingly, the write part was checking for the max bound. --- qubes-rpc/vm-file-editor.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/qubes-rpc/vm-file-editor.c b/qubes-rpc/vm-file-editor.c index a7eeb86..83fa972 100644 --- a/qubes-rpc/vm-file-editor.c +++ b/qubes-rpc/vm-file-editor.c @@ -28,11 +28,12 @@ char *get_filename() int i; if (!read_all(0, buf, sizeof(buf))) exit(1); + buf[DVM_FILENAME_SIZE-1] = 0; if (index(buf, '/')) { fprintf(stderr, "filename contains /"); exit(1); } - for (i=0; i < DVM_FILENAME_SIZE && buf[i]!=0; i++) { + for (i=0; buf[i]!=0; i++) { // replace some characters with _ (eg mimeopen have problems with some of them) if (index(" !?\"#$%^&*()[]<>;`~", buf[i])) buf[i]='_';