]> git.alsa-project.org Git - alsa-lib.git/commitdiff
git://git.alsa-project.org / alsa-lib.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: cd04da2)
aserver: fix buffer overwriting
authorMingjie Shen <shen497@purdue.edu>
Wed, 15 Nov 2023 21:40:07 +0000 (16:40 -0500)
committerJaroslav Kysela <perex@perex.cz>
Mon, 11 Dec 2023 08:20:06 +0000 (09:20 +0100)
name array should allocate space for the null terminator. Also, need to
check if client->name has enough space for strcpy.

Closes: https://github.com/alsa-project/alsa-lib/pull/364
Signed-off-by: Mingjie Shen <shen497@purdue.edu>
Signed-off-by: Jaroslav Kysela <perex@perex.cz>
aserver/aserver.c patch | blob | history

diff --git a/aserver/aserver.c b/aserver/aserver.c
index 1742f628e55393199588e77739014e5cc3fcfb5b..50ee3992d88a96887c647edd71cdeb4ccd36ee14 100644 (file)
--- a/aserver/aserver.c
+++ b/aserver/aserver.c
@@ -738,7 +738,7 @@ static int snd_client_open(client_t *client)
                ans.result = -EINVAL;
                goto _answer;
        }
-       name = alloca(req.namelen);
+       name = alloca(req.namelen + 1);
        err = read(client->ctrl_fd, name, req.namelen);
        if (err < 0) {
                SYSERROR("read failed");
@@ -775,6 +775,10 @@ static int snd_client_open(client_t *client)
        name[req.namelen] = '\0';
 
        client->transport_type = req.transport_type;
+       if (sizeof(client->name) < (size_t)(req.namelen + 1)) {
+               ans.result = -ENOMEM;
+               goto _answer;
+       }
        strcpy(client->name, name);
        client->stream = req.stream;
        client->mode = req.mode;
ALSA library repository