From e033d01db4aad4f25b05c72e6aac0fc5829a57f6 Mon Sep 17 00:00:00 2001 From: NRK Date: Sun, 29 Jan 2023 12:26:11 +0000 Subject: [PATCH] plugin: avoid malloc in rc_plugin_run this gets called from a signal handler. also fixes potentially feeding non-nul-terminated buffer to strsep(). Ref: https://github.com/OpenRC/openrc/issues/589 --- src/shared/plugin.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/src/shared/plugin.c b/src/shared/plugin.c index 95fa470bc..97a19a466 100644 --- a/src/shared/plugin.c +++ b/src/shared/plugin.c @@ -107,7 +107,7 @@ rc_plugin_run(RC_HOOK hook, const char *value) sigset_t old; int pfd[2]; pid_t pid; - char *buffer; + char buffer[BUFSIZ]; char *token; char *p; ssize_t nr; @@ -169,10 +169,12 @@ rc_plugin_run(RC_HOOK hook, const char *value) sigprocmask(SIG_SETMASK, &old, NULL); close(pfd[1]); - buffer = xmalloc(sizeof(char) * BUFSIZ); - memset(buffer, 0, BUFSIZ); - while ((nr = read(pfd[0], buffer, BUFSIZ)) > 0) { + /* FIXME: this will be buggy if `read` cuts the buffer in the + * middle. getdelim() could work, but this function is + * currently being called from within a signal handler. */ + while ((nr = read(pfd[0], buffer, sizeof(buffer) - 1)) > 0) { + buffer[nr] = '\0'; p = buffer; while (*p && p - buffer < nr) { token = strsep(&p, "="); @@ -187,7 +189,6 @@ rc_plugin_run(RC_HOOK hook, const char *value) } } - free(buffer); close(pfd[0]); rc_waitpid(pid);