commandhelper: Make number of fds variable in printInput

Fixes a buffer overflow triggered when more than three "--readfd" arguments were given on the command line. Signed-off-by: Tim Wiederhake <twiederh@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2025-01-22 04:25:18 +00:00 · 2021-02-01 12:27:58 +01:00 · 2021-02-01 12:27:58 +01:00 · 8cdbedfdbf
commit 8cdbedfdbf
parent ba326d08b4
1 changed files with 22 additions and 5 deletions
--- a/tests/commandhelper.c
+++ b/tests/commandhelper.c
@ -204,13 +204,23 @@ static int printCwd(FILE *log)
 static int printInput(struct Arguments *args)
 {
    char buf[1024];
-    struct pollfd fds[3];
+    struct pollfd *fds = NULL;
-    char *buffers[3] = {NULL, NULL, NULL};
+    char **buffers = NULL;
-    size_t buflen[3] = {0, 0, 0};
+    size_t *buflen = NULL;
    int ret = -1;
    size_t i;
    ssize_t got;
    if (!(fds = calloc(args->numreadfds, sizeof(*fds))))
        goto cleanup;
    /* plus one NULL terminator */
    if (!(buffers = calloc(args->numreadfds + 1, sizeof(*buffers))))
        goto cleanup;
    if (!(buflen = calloc(args->numreadfds, sizeof(*buflen))))
        goto cleanup;
    if (args->close_stdin) {
        if (freopen("/dev/null", "r", stdin) != stdin)
            goto cleanup;
@ -292,8 +302,15 @@ static int printInput(struct Arguments *args)
    ret = 0;
 cleanup:
-    for (i = 0; i < G_N_ELEMENTS(buffers); i++)
+    if (buffers) {
-        free(buffers[i]);
+        char **ptr;
        for (ptr = buffers; *ptr; ptr++)
            free(*ptr);
    }
    free(fds);
    free(buflen);
    free(buffers);
    return ret;
 }