as6e: Avoid out of bound access

This fixes a crash due to a stack corruption. To reproduce the bug, set a path within the PATH variable, to something, which exceeds 128 chars. Maybe more chars are needed, to reach the stack corruption.
2018-10-25 08:53:58 +02:00 · 2018-10-25 08:53:58 +02:00 · f111032e7f
commit f111032e7f
--- a/backend/as6e.c
+++ b/backend/as6e.c
@ -799,7 +799,7 @@ check_for_driver (const char *devname)
  char *path;
  char fullname[NAMESIZE];
  char dir[NAMESIZE];
-  int count = 0, offset = 0;
+  int count = 0, offset = 0, valid;

  path = getenv ("PATH");
  if (!path)
@ -808,11 +808,18 @@ check_for_driver (const char *devname)
    {
      memset (fullname, '\0', sizeof (fullname));
      memset (dir, '\0', sizeof (dir));
+      valid = 1;
      while ((path[count] != ':') && (path[count] != '\0'))
 	{
+	  /* prevent writing data, which are out of bounds */
+	  if ((unsigned int)(count - offset) < sizeof (dir))
 	    dir[count - offset] = path[count];
+	  else
+	    valid = 0;
 	  count++;
 	}
+	if (valid == 1)
+	{
        /* use sizeof(fullname)-1 to make sure there is at least one padded null byte */
        strncpy (fullname, dir, sizeof(fullname)-1);
        /* take into account that fullname already contains non-null bytes */
@ -824,6 +831,7 @@ check_for_driver (const char *devname)
 	    if (S_ISREG (modes))
 	      return (1);		/* found as6edriver */
 	  }
+	}
      if (path[count] == '\0')
 	return (0);		/* end of path --no driver found */
      count++;