From 48946dbe5530abb8594002821f041694a4a26cb2 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Mon, 13 Oct 2014 16:22:21 +0200 Subject: init: fix a major bug in interactive mode A buffer overflow happens in interactive mode, where the prompt is copied into a string as large as the level of braces and forgets to also allocate enough room for the max string length. Moreover, the string copy is limited to the max string length but this size was not allocated. The net effect is init segfaulting in interactive mode when exiting a prompt using ".", because the message displayed when entering the mode overwrites some context info which his needed upon exit. --- init/init.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/init/init.c b/init/init.c index e0a45d9..7819410 100644 --- a/init/init.c +++ b/init/init.c @@ -1376,7 +1376,7 @@ int main(int argc, char **argv, char **envp) { if (cmd_input == INPUT_KBD) { int len; char *cmd_ptr = cmd_line; - static char prompt[MAX_BRACE_LEVEL + 4]; + static char prompt[sizeof(cmd_line) + MAX_BRACE_LEVEL + 4]; char *p = prompt; int lev1, lev2; -- 1.7.12.1