From 8974ef2124118e4ed8cad7ee0534b36e5c584c4e Mon Sep 17 00:00:00 2001 From: Rich Felker Date: Sun, 15 May 2022 19:22:05 -0400 Subject: mntent: fix potential mishandling of extremely long lines commit 05973dc3bbc1aca9b3c8347de6879ed72147ab3b made it so that lines longer than INT_MAX can in theory be read, but did not use a suitable type for the positions determined by sscanf. we could change to using size_t, but since the signature for getmntent_r does not admit lines longer than INT_MAX, it does not make sense to support them in the legacy thread-unsafe form either -- the principle here is that there should not be an incentive to use the unsafe function to get added functionality. --- src/misc/mntent.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'src') diff --git a/src/misc/mntent.c b/src/misc/mntent.c index 962b8767..d404fbe3 100644 --- a/src/misc/mntent.c +++ b/src/misc/mntent.c @@ -2,6 +2,7 @@ #include #include #include +#include static char *internal_buf; static size_t internal_bufsize; @@ -42,6 +43,7 @@ struct mntent *getmntent_r(FILE *f, struct mntent *mnt, char *linebuf, int bufle } len = strlen(linebuf); + if (len > INT_MAX) continue; for (i = 0; i < sizeof n / sizeof *n; i++) n[i] = len; sscanf(linebuf, " %n%*s%n %n%*s%n %n%*s%n %n%*s%n %d %d", n, n+1, n+2, n+3, n+4, n+5, n+6, n+7, -- cgit v1.2.1