From c2e3a78aa303e8b0df7afa15e830f11b716eb93b Mon Sep 17 00:00:00 2001 From: Kevin Day Date: Thu, 17 Feb 2022 22:11:06 -0600 Subject: [PATCH] Security: Executed program string is not NULL terminated. While the FLL code doesn't need NULL termination, the C/POSIX execute functions are. The lack of a NULL terminated results in an invalid read on execute. --- level_3/controller/c/entry/private-entry.c | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/level_3/controller/c/entry/private-entry.c b/level_3/controller/c/entry/private-entry.c index 572568e..f4928ee 100644 --- a/level_3/controller/c/entry/private-entry.c +++ b/level_3/controller/c/entry/private-entry.c @@ -391,18 +391,26 @@ extern "C" { action->parameters.array[j].used = 0; - status = f_string_dynamic_partial_append_nulless(cache->buffer_file, cache->content_actions.array[i].array[j], &action->parameters.array[j]); + if (cache->content_actions.array[i].array[j].start > cache->content_actions.array[i].array[j].stop) continue; - if (F_status_is_error(status)) { - controller_entry_print_error(is_entry, global.main->error, cache->action, F_status_set_fine(status), "f_string_dynamic_partial_append_nulless", F_true, global.thread); + status = f_string_dynamic_increase_by((cache->content_actions.array[i].array[j].stop - cache->content_actions.array[i].array[j].start) + 1, &action->parameters.array[j]); - action->status = status; + if (F_status_is_error(status)) { + controller_entry_print_error(is_entry, global.main->error, cache->action, F_status_set_fine(status), "f_string_dynamic_increase_by", F_true, global.thread); + } + else { + status = f_string_dynamic_partial_append_nulless(cache->buffer_file, cache->content_actions.array[i].array[j], &action->parameters.array[j]); - if (F_status_is_error_not(status_action)) { - status_action = status; + if (F_status_is_error(status)) { + controller_entry_print_error(is_entry, global.main->error, cache->action, F_status_set_fine(status), "f_string_dynamic_partial_append_nulless", F_true, global.thread); } + else { + status = f_string_dynamic_terminate_after(&action->parameters.array[j]); - break; + if (F_status_is_error(status)) { + controller_entry_print_error(is_entry, global.main->error, cache->action, F_status_set_fine(status), "f_string_dynamic_partial_append_nulless", F_true, global.thread); + } + } } ++action->parameters.used; -- 1.8.3.1