On Sunday, 18 December 2016 20:09:29 CET Richard W.M. Jones wrote:
Make sure it is reasonable before we pass it through to the kernel
command line. I don't believe this is exploitable, but it might cause
obscure bugs.
---
src/launch.c | 26 +++++++++++++++++++++++++-
1 file changed, 25 insertions(+), 1 deletion(-)
diff --git a/src/launch.c b/src/launch.c
index 84d5e82..ee2a23d 100644
--- a/src/launch.c
+++ b/src/launch.c
@@ -39,6 +39,8 @@
#include <assert.h>
#include <libintl.h>
+#include "c-ctype.h"
+
#include "guestfs.h"
#include "guestfs-internal.h"
#include "guestfs-internal-actions.h"
@@ -284,6 +286,28 @@ guestfs_impl_config (guestfs_h *g,
return 0;
}
+/**
+ * Check that the $TERM environment variable is reasonable before
+ * we pass it through to the appliance.
+ */
+static int
+valid_term (const char *term)
I guess the return value can be bool.
+{
+ size_t len = strlen (term);
+
+ if (len == 0 || len > 16)
+ return 0;
+
+ while (len > 0) {
+ char c = *term++;
+ len--;
+ if (!c_isalnum (c) && c != '-' && c != '_')
+ return 0;
+ }
The loop is fine already, maybe the need to use len can be dropped:
for (; *term; ++term) {
char c = *term;
if (!c_isalnum (c) && c != '-' && c != '_')
return 0;
}
Thanks,
--
Pino Toscano