Commit c725ee54 authored by Michal Nazarewicz's avatar Michal Nazarewicz Committed by Linus Torvalds

gen_init_cpio: avoid NULL pointer dereference and rework env expanding

getenv() may return NULL if given environment variable does not exist
which leads to NULL dereference when calling strncat.

Besides that, the environment variable name was copied to a temporary
env_var buffer, but this copying can be avoided by simply using the input

Lastly, the whole loop can be greatly simplified by using the snprintf
function instead of the playing with strncat.

 By the way, the current implementation allows a recursive variable
 expansion, as in:

   $ echo 'out ${A} out ' | A='a ${B} a' B=b /tmp/a
   out a b a out

 I'm assuming this is just a side effect and not a conscious decision
 (especially as this may lead to infinite loop), but I didn't want to
 change this behaviour without consulting.

 If the current behaviour is deamed incorrect, I'll be happy to send
 a patch without recursive processing.
Signed-off-by: default avatarMichal Nazarewicz <>
Cc: Kees Cook <>
Cc: Jiri Kosina <>
Cc: Jesper Juhl <>
Signed-off-by: default avatarAndrew Morton <>
Signed-off-by: default avatarLinus Torvalds <>
parent 0ca43435
......@@ -382,24 +382,15 @@ error:
static char *cpio_replace_env(char *new_location)
char expanded[PATH_MAX + 1];
char env_var[PATH_MAX + 1];
char *start;
char *end;
for (start = NULL; (start = strstr(new_location, "${")); ) {
end = strchr(start, '}');
if (start < end) {
*env_var = *expanded = '\0';
strncat(env_var, start + 2, end - start - 2);
strncat(expanded, new_location, start - new_location);
strncat(expanded, getenv(env_var),
PATH_MAX - strlen(expanded));
strncat(expanded, end + 1,
PATH_MAX - strlen(expanded));
strncpy(new_location, expanded, PATH_MAX);
new_location[PATH_MAX] = 0;
} else
char *start, *end, *var;
while ((start = strstr(new_location, "${")) &&
(end = strchr(start + 2, '}'))) {
*start = *end = 0;
var = getenv(start + 2);
snprintf(expanded, sizeof expanded, "%s%s%s",
new_location, var ? var : "", end + 1);
strcpy(new_location, expanded);
return new_location;
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment