contrib/lar: check for buffer overflows in lar_find_archive() and lar_find_member()
authorJo-Philipp Wich <jow@openwrt.org>
Mon, 6 Apr 2009 17:54:55 +0000 (17:54 +0000)
committerJo-Philipp Wich <jow@openwrt.org>
Mon, 6 Apr 2009 17:54:55 +0000 (17:54 +0000)
contrib/lar/lar.c

index 57a16e9ff7d957f60bf341ab7310a9bafa1c87f2..ad6cfc8e5d4f492ee0d9545edd093c422aeae210 100644 (file)
@@ -182,7 +182,12 @@ lar_archive * lar_find_archive( const char *package )
        LAR_FNAME(buffer);
 
        for( len = 0; package[len] != '\0'; len++ )
+       {
+               if( len >= sizeof(buffer) )
+                       LAR_DIE("Package name exceeds maximum allowed length");
+
                if( package[len] == '.' ) seg++;
+       }
 
        while( seg > 0 )
        {
@@ -213,7 +218,12 @@ lar_member * lar_find_member( lar_archive *ar, const char *package )
        LAR_FNAME(buffer);
 
        for( len = 0; package[len] != '\0'; len++ )
+       {
+               if( len >= sizeof(buffer) )
+                       LAR_DIE("Package name exceeds maximum allowed length");
+
                buffer[len] = ( package[len] == '.' ) ? '/' : package[len];
+       }
 
        buffer[len+0] = '.'; buffer[len+1] = 'l'; buffer[len+2] = 'u';
        buffer[len+3] = 'a'; buffer[len+4] = '\0';