[uclibc-ng-devel] [PATCH] confdata: fix invalid write

stndup will copy *up to* the size parameter, not allocate a buffer of that size, so the buffer is not necessarily large enough to fit the ".old" extension.

Caught with glibc's MALLOC_CHECK_=3.

Signed-off-by: Ben Boeckel mathstuf@gmail.com --- extra/config/confdata.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/extra/config/confdata.c b/extra/config/confdata.c index 61c91c2..94c63c0 100644 --- a/extra/config/confdata.c +++ b/extra/config/confdata.c @@ -814,7 +814,8 @@ next: fclose(out);

if (*tmpname) { - dirname = strndup(basename, strlen(basename) + 4); + dirname = malloc(strlen(basename) + 4 + 1); + strcpy(dirname, basename); strcat(dirname, ".old"); rename(newname, dirname); free(dirname);