From 5fb265eaa725928b59b44aa9bfe8959256014ba1 Mon Sep 17 00:00:00 2001 From: Holger Hans Peter Freyther Date: Sun, 5 Apr 2015 14:36:31 +0200 Subject: ctrl: Avoid accessing cmd_desc->command out of bounds We check that the amount of commands is not more than we have but we don't check it the other way. It appears that the vector is allowed to be bigger than the amount of commands. So we match a prefix of a longer command depending on the installation order. --- src/ctrl/control_cmd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/ctrl/control_cmd.c b/src/ctrl/control_cmd.c index 4e156b81..3dbcf8f6 100644 --- a/src/ctrl/control_cmd.c +++ b/src/ctrl/control_cmd.c @@ -86,7 +86,7 @@ static struct ctrl_cmd_element *ctrl_cmd_get_element_match(vector vline, vector cmd_desc = &cmd_el->strcmd; if (cmd_desc->nr_commands > vector_active(vline)) continue; - for (j =0; j < vector_active(vline); j++) { + for (j =0; j < vector_active(vline) && j < cmd_desc->nr_commands; j++) { str = vector_slot(vline, j); desc = cmd_desc->command[j]; if (desc[0] == '*') -- cgit v1.2.3