From cb4786f1b6eb694545541bef89f942b00c2ff022 Mon Sep 17 00:00:00 2001
From: Andreas Gruenbacher <agruenba@redhat.com>
Date: Mon, 17 Dec 2018 14:38:26 +0100
Subject: attr_list, attr_listf: Guard against unterminated buffer

attr_list and attr_listf can crash when the listxattr, llistxattr, or
flistxattr syscalls incorrectly return an unterminated buffer.  Guard
against that by always appending a null character.
---
 libattr/libattr.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/libattr/libattr.c b/libattr/libattr.c
index 8180c3f..d550e10 100644
--- a/libattr/libattr.c
+++ b/libattr/libattr.c
@@ -290,7 +290,7 @@ attr_list(const char *path, char *buffer, const int buffersize, int flags,
 {
 	const char *l;
 	int length, vlength, count = 0;
-	char lbuf[MAXLISTLEN];
+	char lbuf[MAXLISTLEN+1];
 	char name[MAXNAMELEN+16];
 	int start_offset, end_offset;
 
@@ -301,11 +301,12 @@ attr_list(const char *path, char *buffer, const int buffersize, int flags,
 	bzero(buffer, sizeof(attrlist_t));
 
 	if (flags & ATTR_DONTFOLLOW)
-		length = llistxattr(path, lbuf, sizeof(lbuf));
+		length = llistxattr(path, lbuf, sizeof(lbuf) - 1);
 	else
-		length = listxattr(path, lbuf, sizeof(lbuf));
+		length = listxattr(path, lbuf, sizeof(lbuf) - 1);
 	if (length <= 0)
 		return length;
+	lbuf[length] = 0;  /* not supposed to be necessary */
 
 	start_offset = sizeof(attrlist_t);
 	end_offset = buffersize & ~(8-1);	/* 8 byte align */
@@ -340,7 +341,7 @@ attr_listf(int fd, char *buffer, const int buffersize, int flags,
 {
 	const char *l;
 	int length, vlength, count = 0;
-	char lbuf[MAXLISTLEN];
+	char lbuf[MAXLISTLEN+1];
 	char name[MAXNAMELEN+16];
 	int start_offset, end_offset;
 
@@ -350,9 +351,10 @@ attr_listf(int fd, char *buffer, const int buffersize, int flags,
 	}
 	bzero(buffer, sizeof(attrlist_t));
 
-	length = flistxattr(fd, lbuf, sizeof(lbuf));
+	length = flistxattr(fd, lbuf, sizeof(lbuf) - 1);
 	if (length < 0)
 		return length;
+	lbuf[length] = 0;  /* not supposed to be necessary */
 
 	start_offset = sizeof(attrlist_t);
 	end_offset = buffersize & ~(8-1);	/* 8 byte align */
-- 
cgit v1.2.1