shared/logs-show: fix mixup between length-based memory duplication a…

…nd string operations We'd look for a '=' separator using memchr, i.e. ignoring any nul bytes in the string, but then do a strndup, which would terminate on any nul byte, and then again do a memcmp, which would access memory past the chunk allocated by strndup. Of course, we probably shouldn't allow keys with nul bytes in them. But we currently do, so there might be journal files like that out there. So let's fix the journal-reading code first.
keszybz · May 21, 2018 · 056129d · 056129d
1 parent 461f045
commit 056129d
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/src/shared/logs-show.c b/src/shared/logs-show.c
@@ -826,7 +826,7 @@ static int output_json(
                 if (!eq)
                         continue;
 
-                n = strndup(data, eq - (const char*) data);
+                n = memdup_suffix0(data, eq - (const char*) data);
                 if (!n) {
                         r = log_oom();
                         goto finish;
@@ -880,7 +880,7 @@ static int output_json(
 
                         m = eq - (const char*) data;
 
-                        n = strndup(data, m);
+                        n = memdup_suffix0(data, m);
                         if (!n) {
                                 r = log_oom();
                                 goto finish;

diff --git a/test/fuzz-regressions/fuzz-journal-remote/crash-96dee870ea66d03e89ac321eee28ea63a9b9aa45 b/test/fuzz-regressions/fuzz-journal-remote/crash-96dee870ea66d03e89ac321eee28ea63a9b9aa45