From 322a98c8c9e5b952203a4f2245dee4f4c37d6e71 Mon Sep 17 00:00:00 2001 From: Ryan Lee Date: Tue, 6 Aug 2024 12:44:47 -0700 Subject: [PATCH] Fix incorrect strnlen length in aa_load.c load_policy_dir POSIX states that d_name has up to NAME_MAX (255) characters, and glibc stores d_name as an array of size NAME_MAX+1 (256). Thus, supplying PATH_MAX (4096) as the max length could trigger a buffer overrun. This could be an even bigger issue on other libcs, as POSIX states that d_name can be unsized. Fortunately, this does not seem to cause actual issues, as the length is only used to compare d_name to a short fixed string. However, it'd be better to pass the actual correct max length to strnlen. Signed-off-by: Ryan Lee --- binutils/aa_load.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/binutils/aa_load.c b/binutils/aa_load.c index a66efd3f5..d765c419b 100644 --- a/binutils/aa_load.c +++ b/binutils/aa_load.c @@ -172,7 +172,8 @@ static int load_policy_dir(const char *dir_path) while ((dir = readdir(d)) != NULL) { /* Only check regular files for now */ if (dir->d_type == DT_REG) { - len = strnlen(dir->d_name, PATH_MAX); + /* As per POSIX dir->d_name has at most NAME_MAX characters */ + len = strnlen(dir->d_name, NAME_MAX); /* Ignores .features */ if (strncmp(dir->d_name, CACHE_FEATURES_FILE, len) == 0) { continue;